Clawdbot Drama: Forced Rebranding, Cryptocurrency Scam, and 24-Hour Collapse

In just a few minutes, the market capitalization of the CLAWD token unrelated to this project skyrocketed to $16 million, only to crash shortly afterward.

Article by: Jose Antonio Lanz

Translation: Chopper, Foresight News

TL;DR

• A trademark dispute triggered chaos involving the popular AI application Clawdbot, including a name change and account theft;
• In just a few minutes, the market cap of the unrelated CLAWD token surged to $16 million before collapsing;
• Security researchers found multiple instances of Clawdbot exposed, with associated account credentials at risk of leakage.

A few days ago, Clawdbot was one of the hottest open-source projects on GitHub, earning over 80,000 stars. This technically impressive tool allows users to run AI assistants locally via instant messaging apps like WhatsApp, Telegram, and Discord, with full system access.

Now, the project has not only been forced to rename due to legal issues but has also been targeted by cryptocurrency scammers; a fake token bearing its name briefly soared to a market cap of $16 million before crashing. The project has also faced criticism after researchers discovered exposed gateways and easily accessible account credentials.

The trigger for this crisis was a trademark infringement claim from AI company Anthropic against Clawdbot founder Peter Steinberger. Many of Clawdbot’s features are based on Anthropic’s Claude model, which the company argued is too similar to its own “Claude” name. Frankly, this claim aligns with trademark law.

However, this trademark dispute triggered a chain reaction of issues, ultimately spiraling out of control.

Peter Steinberger tweeted, “Are there GitHub staff on my Twitter followers? Can someone help me recover my GitHub account? It was stolen by cryptocurrency scammers.”

He announced on Twitter that he renamed Clawdbot to Moltbot. Community members were very understanding about the name change, and the official project account even posted: “The lobster core remains, just with a new shell.”

Soon after, Steinberger initiated the renaming of his GitHub and Twitter accounts. But during the brief window between abandoning the old account name and registering the new one, scammers seized the opportunity to steal both accounts.

The hijacked accounts immediately began promoting a fake CLAWD token issued on Solana. Within hours, speculators pushed the token’s market cap above $16 million.

Some early investors claimed to have made substantial profits, while Steinberger publicly denied any association with the token. Shortly afterward, the token’s value collapsed, leaving late investors with heavy losses.

Peter Steinberger tweeted, “Everyone in crypto: stop messaging me, stop harassing me. I will never issue a token in my life. Any project claiming I am issuing tokens is a scam. I will not charge any fees. Your actions are seriously damaging the development of this project.”

His firm stance angered some in the crypto community. Some speculators believed his public denial caused them to suffer losses, leading to a series of harassment campaigns. Steinberger was accused of “betrayal,” told to “take responsibility,” and even pressured to endorse projects he had never heard of.

Eventually, Steinberger managed to recover his stolen accounts. But at the same time, security researchers uncovered a serious issue: hundreds of Clawdbot instances were running without any authentication protections, directly exposed to the public internet. This means that the unmonitored permissions granted to the AI could be easily exploited by malicious actors.

According to Decrypt, AI developer Luis Catacora discovered through Shodan scans that most of these issues stemmed from novice users granting excessive permissions to the AI assistant. He wrote, “I just checked Shodan and found many gateways exposing port 18789 without any authentication. This means anyone can access the server shell, automate browser actions, or even steal your API keys. Cloudflare Tunnel is free, and these problems shouldn’t exist.”

Jamieson O’Reilly, founder of the red-teaming firm Dvuln, also found that identifying vulnerable servers was very easy. In an interview with The Register, he said, “I manually checked several instances, and eight of them had no authentication at all, directly exposed. Dozens more had some protections but still left exposure risks.”

What is the core of this technical vulnerability? Clawdbot’s authentication system automatically trusts connection requests from the local host, meaning the user’s own device. Most users run the software behind a reverse proxy, which causes all external requests to appear as coming from the local loopback address 127.0.0.1 and be automatically authorized—even if the requests originate from outside the network.

Blockchain security firm SlowMist confirmed the existence of this vulnerability and issued a warning: the project contains multiple code flaws that could lead to credential theft or remote code execution by malicious actors. Researchers also demonstrated various prompt injection attack methods, including one via email, which in just minutes tricked the AI instance into forwarding the user’s private information to attackers.

“This is the consequence of rapid expansion without security audits after the project went viral,” said Abdulmuiz Adeyemo, developer of the startup incubator platform FounderOS. “The ‘open development’ model hides a dark side that no one wants to mention.”

For AI enthusiasts and developers, good news is that the project has not been abandoned. Moltbot is essentially the same software as the previous Clawdbot, with high-quality code. Despite its popularity, the tool is not user-friendly for beginners and does not lead to widespread misoperation. Its practical applications do exist, but it is not yet ready for mainstream promotion, and security issues remain unresolved.

Allowing an autonomous AI assistant to have server shell access, browser control, and credential management creates many attack surfaces—many of which traditional security systems have not considered. The features of such systems—local deployment, persistent memory, active task execution—make their adoption far faster than the industry’s security adaptation.

Meanwhile, cryptocurrency scammers continue lurking in the shadows, waiting for the next opportunity to cause chaos.