From Clawdbot to OpenClaw: Hype, Scams, and the Future of AI Agents
The open-source AI agent that gained 193K GitHub stars, got hijacked by crypto scammers, exposed 42,900 control panels, and landed its creator a job at OpenAI. The full story of Clawdbot, Moltbot, and OpenClaw.
📅
✍️ Gianluca
From Clawdbot to OpenClaw: The AI Agent That Broke GitHub, Got Hijacked by Crypto Scammers, and Landed Its Creator at OpenAI
In January 2026, a single developer shipped an open-source AI assistant from his home office. Within 72 hours it had three different names, 60,000 GitHub stars, a fake crypto token worth $16 million, exposed control panels in 82 countries, and the attention of both Sam Altman and Mark Zuckerberg. This is the story of OpenClaw, and it reads like a case study on everything that can go right and wrong when autonomous AI meets the open internet.
The Numbers:
- 193,000+ GitHub stars (21st most popular repo ever)
- 3 names in 72 hours (Clawdbot → Moltbot → OpenClaw)
- $16M fake crypto token market cap before 90% crash
- 42,900 exposed control panels across 82 countries
- 15,200 instances vulnerable to remote code execution
- 6,600+ commits by one developer in a single month
The Man Behind the Lobster
Peter Steinberger, known online as @steipete, is an Austrian developer who previously co-founded PSPDFKit, a PDF framework company he bootstrapped in 2011. The company grew to power apps used by nearly a billion people before Insight Partners invested 100 million euros in 2021. Steinberger sold his shares, stepped down, and started building what would become the most talked-about open-source project of early 2026.
His approach was unconventional. He described his coding style as "vibe coding" and made over 6,600 commits in January 2026 alone. When asked about the project's rapid growth, he said: "From the commits, it might appear like it's a company. But it's not. This is one dude sitting at home having fun."
What Clawdbot Actually Was
Clawdbot was not another chatbot. It was an autonomous AI agent that could interact with real systems on your behalf. It connected to WhatsApp, Telegram, Signal, Discord, and Slack, and could execute actual tasks: sending and deleting emails, managing calendars, browsing the web, summarizing PDFs, writing code, and automating workflows across services.
The key difference from ChatGPT or Claude was that Clawdbot ran locally on your machine and had permission to act on your behalf. It was not just generating text. It was executing commands, accessing files, and interacting with APIs. This made it extraordinarily powerful and, as it turned out, extraordinarily dangerous.
Why It Went Viral:
- - A truly autonomous AI agent, not just a chatbot
- - Open-source and free, running on your own hardware
- - Real integration with messaging platforms and productivity tools
- - Support for multiple LLM backends (Claude, GPT, DeepSeek)
- - 9,000 GitHub stars in a single day after public launch on January 25, 2026
Three Names in 72 Hours
The naming saga began on January 24, when Steinberger appeared on the "Insecure Agents" podcast and confidently stated: "I looked it up. There's no trademark for this." He was wrong.
Three days later, on January 27, Anthropic sent a formal trademark notice. The name "Clawd" was too close to their AI product "Claude." When Steinberger asked if he could simply drop the 'd' and use "Clawbot," Anthropic said no.
The community rallied and pitched hundreds of alternative names. The winner was Moltbot, because "molting" is how lobsters grow, keeping the project's lobster mascot theme alive. But "Moltbot" lasted only about two days. It was hard to pronounce, did not stick in conversations, and by January 29 Steinberger had rebranded again to OpenClaw, the name it carries today.
| Date | Name | What Happened |
|---|---|---|
| Jan 25-26 | Clawdbot | Public launch. 9,000 stars in one day. |
| Jan 27 | Moltbot | Anthropic trademark notice. Forced rebrand. |
| Jan 29 | OpenClaw | Voluntary rebrand. Final name. |
The Crypto Scam That Hit in 10 Seconds
The triple rebrand created an opening that scammers exploited almost instantly. When Steinberger released the old @clawdbot Twitter/X handle during the Moltbot transition, a crypto scammer seized it within approximately 10 seconds. The hijacked account looked legitimate and immediately began promoting a fake $CLAWD token on Solana-based meme coin platforms.
The fraudulent token briefly reached a $16 million market capitalization before crashing approximately 90%, constituting a classic rug pull. The scam expanded to include wallet credential phishing, drainer attacks, fake airdrops, and fabricated investment opportunities, all trading on the confusion around the rapid name changes.
Steinberger's Public Statement:
Steinberger had to publicly clarify that he never created any cryptocurrency token, had no affiliation with $CLAWD, and that any project using the Clawdbot or Moltbot name for crypto purposes was a scam. He asked investors to stop contacting him and stated he was working with GitHub to recover affected accounts.
The Security Nightmare
As OpenClaw's popularity exploded, security researchers began probing the project and the findings were alarming. The fundamental issue was that unlike a chatbot that just generates text, OpenClaw could execute commands on your computer. When misconfigured, this turned personal devices into remotely accessible machines.
Security Findings (Multiple Research Teams):
- - 42,900 exposed OpenClaw control panels across 82 countries
- - 15,200 instances vulnerable to Remote Code Execution (RCE)
- - Default config binds to 0.0.0.0:18789 (all interfaces, not localhost)
- - ~1 in 5 available plugins contained malware
- - Infostealer malware targeting OpenClaw config files and tokens
- - APT groups (Kimsuky, APT28) found near exposed instances
- - 33.8% of exposed infrastructure correlated with threat actor activity
Prompt Injection: The AI-Specific Threat
Beyond traditional security holes, researchers demonstrated AI-specific attacks. Through indirect prompt injection, hidden commands embedded in emails, websites, or chat messages could manipulate OpenClaw into executing unintended actions.
In one proof-of-concept, researchers extracted a private SSH key by sending a specially crafted email to a linked inbox. In another, attackers created persistent scheduled tasks that survived restarts. The Dutch Data Protection Authority went so far as to issue formal warnings about OpenClaw's cybersecurity and privacy risks.
Exposed Panels
The default configuration bound to all network interfaces instead of localhost. Users who did not change this setting unknowingly exposed their OpenClaw control panel to the entire internet, giving anyone access to an AI agent with permission to act on their computer.
Malicious Plugins
Approximately one in five third-party plugins contained malicious code designed to steal login credentials and cryptocurrency wallet assets. The open plugin ecosystem, while powerful, became a distribution channel for malware.
State-Level Interest
SecurityScorecard's STRIKE team found that APT groups including Kimsuky (North Korea) and APT28 (Russia) were operating near exposed OpenClaw instances. Over a third of exposed infrastructure showed correlation with known threat actor activity.
From Chaos to OpenAI
Despite the turbulence, the project survived and kept growing. By mid-February 2026, OpenClaw had crossed 180,000 GitHub stars, making it the 21st most popular repository in GitHub's history, with over 2 million visitors in a single week.
On February 14, 2026, Steinberger announced that he would be joining OpenAI to lead work on "the next generation of personal agents." Sam Altman confirmed the hire the following day. Both Mark Zuckerberg and Altman had reportedly made concrete offers before Steinberger chose OpenAI. His reasoning was direct: "What I want is to change the world, not build a large company, and teaming up with OpenAI is the fastest way to bring this to everyone."
OpenClaw will continue as open-source software under a foundation supported by OpenAI. The project's evolution from a solo side project to a foundation-backed initiative happened in less than a month.
The European Angle:
Steinberger's move to OpenAI reignited the debate about Europe's tech ecosystem. Austrian media reported his comment: "In Europe, I get insulted." The headline from TrendingTopics.eu read: "Europe Left Peter Steinberger With no Choice but to go to the US." Another case of a European builder leaving for Silicon Valley because the opportunity gap was too wide to bridge.
Why This Story Matters
The OpenClaw saga is not just a dramatic tech story. It is a compressed preview of the challenges that autonomous AI agents will create at scale. Every issue that surfaced in three weeks will eventually affect every AI agent product on the market.
Security Cannot Be Optional
When an AI agent can execute commands on real systems, the default configuration must be secure. Binding to all network interfaces out of the box is not a feature, it is a vulnerability. 42,900 exposed panels prove that most users will not change defaults.
Open Source Needs Governance
The plugin ecosystem became a malware distribution channel. The naming chaos enabled impersonation and fraud. Open-source power without open-source governance creates attack surfaces that scale with adoption.
Hype Creates Opportunity for Fraud
Scammers are faster than developers. Within seconds of a namespace being freed, it was captured and weaponized. The $16 million fake token shows how quickly bad actors can monetize confusion around a trending project.
Prompt Injection Is Not Solved
When AI agents process untrusted input (emails, web pages, messages) and have the ability to execute actions, prompt injection becomes a critical vulnerability. This is not a theoretical risk. Researchers demonstrated real data exfiltration.
The Complete Timeline
| Date | Event |
|---|---|
| Nov 2025 | Clawdbot first published as a side project |
| Jan 24, 2026 | Steinberger says on podcast: "There's no trademark for this" |
| Jan 25-26 | Public launch. 9,000 GitHub stars in one day. |
| Jan 27 | Anthropic trademark notice. Renamed to Moltbot. Scammers seize @clawdbot handle. $CLAWD token hits $16M, crashes 90%. |
| Jan 28 | Moltbook (AI agent social network) launches, powered by OpenClaw. |
| Jan 29-30 | Renamed to OpenClaw. Third identity in 72 hours. |
| Early Feb | Security researchers disclose 42,900 exposed panels, prompt injection risks, malicious plugins. |
| Feb 14 | Steinberger announces joining OpenAI. OpenClaw moves to foundation model. |
| Mid-Feb | 193,000+ GitHub stars. 21st most popular repo ever. |
Conclusion
OpenClaw is a preview of what happens when autonomous AI agents escape the lab and meet the real world. The technology is genuinely impressive. An open-source agent that can manage your email, browse the web, and automate workflows is something people have wanted for decades. But the gap between "technically impressive" and "safe to use" is enormous.
Forty-two thousand exposed control panels. State-sponsored threat actors circling vulnerable instances. A fake crypto token that extracted millions from confused investors. One in five plugins shipping malware. These are not growing pains. These are warnings about what happens when we give AI agents real power over real systems without building the security infrastructure first.
The question is not whether AI agents like OpenClaw will become mainstream. They will. The question is whether we will learn from this compressed disaster and build the guardrails before the next wave arrives. Steinberger is now at OpenAI working on exactly that. Whether the rest of the industry follows fast enough is the story we are all watching.
Sources
1. CNBC
From Clawdbot to Moltbot to OpenClaw: the full saga of the open-source AI agent's rise and controversy.
2. TechCrunch
OpenClaw creator Peter Steinberger joins OpenAI to lead next-generation personal agents.
Fake 'ClawdBot' AI Token hits $16M before 90% crash. The crypto scam exploiting the rebrand chaos.
15,200 OpenClaw control panels exposed to remote code execution. SecurityScorecard STRIKE team findings.
5. Kaspersky
Analysis of OpenClaw security vulnerabilities: prompt injection, exposed panels, and malicious plugins.
"The creator of Clawd: I ship code I don't read." Deep profile of Peter Steinberger and his approach.
7. Malwarebytes
Clawdbot's rename to Moltbot sparks impersonation campaign and crypto fraud analysis.
Infostealer malware specifically targeting OpenClaw configuration files and gateway tokens.