Author：Foresightnews

Fraudsters exploited a brief lull in the trademark dispute to issue the Meme coin CLAWD, briefly inflating its market value to $16 million, turning this wildly popular artificial intelligence project into a cautionary tale.

Written by: Jose Antonio Lanz

Compiled by: Chopper, Foresight News

TL;DR:

• A trademark dispute has triggered a renaming crisis and account theft for the popular AI app Clawdbot.
• Within minutes, the market capitalization of CLAWD tokens, which were unrelated to the project, surged to $16 million before quickly collapsing.
• Security researchers have discovered that multiple Clawdbot instances are exposed to risk, and related account credentials are also at risk of being leaked.

Just a few days ago, Clawdbot was one of the most popular open-source projects on GitHub, garnering over 80,000 stars. This technically impressive tool allows users to run an AI assistant locally via instant messaging applications such as WhatsApp, Telegram, and Discord, with full system access.

Now, the project has not only been forced to change its name due to legal issues, but has also been targeted by cryptocurrency scammers; a fake token using its name briefly surged to $16 million in market value before plummeting, and the project has also been heavily criticized because researchers discovered that its gateway was exposed and account credentials could be easily obtained.

The crisis was sparked by an artificial intelligence company, Anthropic, filing a trademark infringement claim against Clawdbot founder Peter Steinberger. Many of Clawdbot's features are based on Anthropic's Claude model, and the company argued that "Clawd" was too similar to its own name, "Claude." To be fair, this claim is in accordance with trademark law.

However, this trademark dispute triggered a series of chain problems, ultimately causing the situation to spiral out of control.

Peter Steinberger tweeted, "Are there any GitHub staff members on my Twitter following list? Can you help me recover my GitHub account? It was hacked by cryptocurrency scammers."

Peter Steinberger announced on Twitter that Clawdbot would be renamed Moltbot. The community was very supportive of the name change, with the project's official account even posting, "The lobster core remains the same, just with a new shell."

Subsequently, Peter Steinberger simultaneously renamed his GitHub and Twitter accounts. However, in the brief moment between abandoning the old account names and registering the new ones, cryptocurrency scammers seized the opportunity to steal both accounts.

The stolen accounts then began aggressively promoting CLAWD, a fake token issued based on Solana. Within hours, speculative traders had driven the token's market value to over $16 million.

Some early investors claimed to have made a fortune, while Peter Steinberger publicly denied any connection to the token. Shortly afterward, the token's market value collapsed, leaving investors who bought at the peak with heavy losses.

Peter Steinberger tweeted, "Listen up, everyone in the crypto world: Stop messaging me, stop harassing me. I will never issue a token in my lifetime, and any project that lists me as a token issuer is a scam. I will not charge any fees, and your actions are seriously damaging this project."

Peter Steinberger's refusal has infuriated some in the cryptocurrency community. Some speculators believe that his public denial caused them losses and have launched a series of harassing attacks against him. Peter Steinberger has not only been accused of "betrayal" but also demanded to "take responsibility" and has even been subjected to joint pressure to endorse projects he has never heard of.

Ultimately, Peter Steinberger successfully recovered the stolen account. However, security researchers also discovered a serious problem: hundreds of Clawdbot instances were operating without any authentication protection, directly exposed to the public network. In other words, the unsupervised permissions granted to this AI by users were extremely vulnerable to exploitation by malicious actors.

According to Decrypt, AI developer Luis Catacora, after scanning the Shodan search engine, discovered that the root cause of these problems was that novice users granted the AI assistant excessive privileges. He wrote, "I just checked Shodan and found a large number of gateways on port 18789 exposed without any authentication. This means anyone can gain shell access to the server, automate browser operations, and even steal your API keys. Cloudflare Tunnel is free; these problems shouldn't exist."

Jamieson O’Reilly, founder of the red-teaming company Dvuln, also found that identifying vulnerable servers was extremely easy. In an interview with The Register, he stated, “I manually checked multiple running instances, eight of which were completely unauthenticated and open, and dozens more, while having some protection, hadn’t completely eliminated the risk of exposure.”

What is the root cause of this technical vulnerability? Clawdbot's authentication system automatically authenticates connection requests from the local host, i.e., connections from the user to their own device. Since most users run this software through a reverse proxy, all external connection requests are identified as originating from the local loopback address 127.0.0.1 and automatically authorized, even if these requests actually originate from the external network.

Blockchain security company SlowMist confirmed the existence of this vulnerability and issued a warning: the project has multiple code flaws that could lead to the theft of user credentials and even allow malicious actors to execute code remotely. Researchers also demonstrated various prompt injection attack methods, one of which, via email, tricked an AI instance into forwarding the user's private information to the attacker within minutes.

"This is the consequence of rapid expansion without conducting security audits after a project becomes popular," wrote Abdulmuiz Adeyemo, a developer at the startup incubator platform FounderOS. "Behind the 'open development' model lies a dark side that no one wants to talk about."

The good news for AI enthusiasts and developers is that this project hasn't been abandoned. Moltbot is essentially the same software as its predecessor, Clawdbot, with high-quality code. Despite its popularity, the tool isn't user-friendly for beginners, preventing widespread misoperation. Its real-world applications exist, but it's not yet ready for mainstream adoption, and security issues remain unresolved.

Granting an autonomous AI assistant server shell access, browser control, and credential management privileges creates numerous attack surfaces that traditional security systems have never considered. The characteristics of such systems—local deployment, persistent memory, and proactive task execution—have led to their widespread adoption far exceeding the adaptation speed of existing industry security systems.

Meanwhile, cryptocurrency scammers remain lurking in the shadows, waiting for the next opportunity to create chaos.