In brief
A trademark dispute sparked the chaotic rebrand and account hijacking of the viral AI app, Clawdbot.
In minutes, the unaffiliated CLAWD token surged to a $16 million market cap before collapsing.
Security researchers uncover exposed Clawdbot instances and credential risks.
A few days ago, Clawdbot was one of GitHub’s hottest open-source projects, boasting more than 80,000 stars. It’s an impressive piece of engineering that lets you run an AI assistant locally with full system access through messaging apps like WhatsApp, Telegram, and Discord.
Today, it’s been forced into a legal rebrand, overrun by crypto scammers, linked to a fake token that briefly hit a $16 million market cap before collapsing, and criticized by researchers who found exposed gateways and accessible credentials.
The reckoning started after Anthropic sent founder Peter Steinberger a trademark claim. The AI company—whose Claude models power many Clawdbot installations—decided that “Clawd” looked too much like “Claude.” Fair enough. Trademark law is trademark law.
That, however, triggered a variety of problems that soon cascaded.
Steinberger announced the rebrand from Clawdbot—the name was a play on lobsters, apparent (don’t ask)—to Moltbot on X. The community seemed fine with it. “Same lobster soul, new shell,” the project’s account wrote.
Next, Steinberger renamed the GitHub organization and the X account simultaneously. But in the short gap between releasing the old handles and securing the new ones, crypto scammers hijacked both accounts.
The hacked accounts immediately started pumping a fake token called CLAWD on Solana. Within hours, speculative traders drove the token to over $16 million in market capitalization.
Some early buyers claimed massive gains. Steinberger denied any involvement with the token. The capitalization collapsed and late buyers got wrecked.
“To all crypto folks: Please stop pinging me, stop harassing me,” Steinberger wrote. “I will never do a coin. Any project that lists me as coin owner is a SCAM. No, I will not accept fees. You are actively damaging the project.”
The crypto crowd didn’t take the rejection well. Some speculators believed Steinberger’s denial caused their losses and launched harassment campaigns. He faced accusations of betrayal, demands that he “take responsibility,” and coordinated pressure to endorse projects he’d never heard of.
Steinberger was ultimately able to gain control of the accounts. But in the meantime, security researchers decided this was a good time to point out that hundreds of Clawdbot instances were exposed to the public internet with zero authentication. In other words, users would give unsupervised permissions to the AI that could easily be exploited by bad guys.
As reported by Decrypt, AI developer Luis Catacora ran Shodan scans and found a lot of problems were caused basically by novice users giving the agent too many permissions. “I just checked Shodan and there are exposed gateways on port 18789 with zero auth,” he wrote. “That’s shell access, browser automation, your API keys. Cloudflare Tunnel is free, there’s no excuse.”
Jamieson O’Reilly, founder of red-teaming company Dvuln, also found it was very easy to identify vulnerable servers. “Of the instances I’ve examined manually, eight were open with no authentication at all,” O’Reilly told The Register. Dozens more had partial protections that didn’t fully eliminate exposure.
The technical problem? Clawdbot’s authentication system automatically approves localhost connections—that is, connections to your own machine. When users run the software behind a reverse proxy, which most do, all connections appear to come from 127.0.0.1 and get automatically authorized, even when they originate externally.
Blockchain security firm SlowMist confirmed the vulnerability and warned that multiple code flaws could lead to credential theft and remote code execution. Researchers have demonstrated different prompt injection attacks, including one via email that tricked an AI instance into forwarding private messages to an attacker. It took mere minutes.
“This is what happens when viral growth hits before security audit,” FounderOS developer Abdulmuiz Adeyemo wrote. “‘Build in public’ has a dark side nobody talks about.”
The good news for AI hobbyists and devs that the project itself hasn’t died. Moltbot is the same software Clawdbot was; the code is solid and, despite the hype, not especially noob-friendly. The use cases are real, but still not ready for mainstream adoption. And the security issues remain.
]]>
Running an autonomous AI agent with shell access, browser control, and credential management creates attack surfaces that traditional security models weren’t designed for. The economics of these systems—local deployment, persistent memory, and proactive tasks—drive adoption faster than the industry’s security posture can adapt.
And the crypto scammers are still out there, watching for the next chaos window. All it takes is one oversight, one mistake, or one gap. Ten seconds, as it turns out, is plenty.
Daily Debrief Newsletter
Start every day with the top news stories right now, plus original features, a podcast, videos and more.
