Peter Steinberger's $300M Moltbot Empire Just Became a Crypto Honeypot

Everyone thinks agentic AI will democratize computing power. They're missing the obvious: when you give an AI "hands," you're also giving hackers hands.

Peter Steinberger's Moltbot (formerly Clawdbot) became one of GitHub's fastest-growing projects in early 2026. "Claude with hands," they called it. Control your computer through WhatsApp, Telegram, Discord. What could go wrong?

Everything.

The 9-Vulnerability Nightmare

Cisco's security team just torched the fantasy. Testing one innocent-looking skill called "What Would Elon Do?" revealed nine security findings—two critical, five high severity. The attack chain is elegant and terrifying:

• Malicious skill appears in registry ("Stock Market Analyzer" sounds legit)
• User installs, passes initial security audits
• Executes with full system privileges
• Silent curl commands exfiltrate everything

The harvest list reads like a hacker's Christmas wishlist: Anthropic API keys, OpenAI tokens, WhatsApp sessions, Telegram bots, Discord OAuth, Slack credentials, Signal identity keys. Basically, your entire digital life.

Targets aren't random either. ByBit, Polymarket, Axiom—high-value crypto platforms where API access equals instant money.

The Elephant in the Room

Anthropic launched Claude Skills in December 2025 knowing this would happen.

They pushed "agentic workflows" and "task-specific capabilities" while the security implications were obvious to anyone who'd spent five minutes thinking about privilege escalation. When your AI can sudo rm -rf /, malicious instructions become weapons of mass digital destruction.

Steinberger himself exemplifies the chaos. The Clawdbot→Moltbot rename was so botched that crypto scammers seized his old GitHub username and launched fake projects in his name. If the creator can't secure his own identity, what hope do 300+ daily contributors have?

The Skills Registry Scam

Here's what makes this brilliant from an attacker's perspective:

1. Skill descriptions become model context—prompt injection triggers without explicit invocation

2. Supply chain attacks amplify—compromised dependencies get shell access

3. Plaintext memory storage—everything persists in easily readable formats

4. Integration token lateral movement—personal compromise becomes corporate breach

Snyk's proposed "Agent Guard" and MCP-Scan CLI are bandaids on a severed artery. The core architecture assumes trust where none should exist.

The $300M Question

With hundreds of contributors committing code daily, Moltbot represents a massive economic ecosystem. One malicious commit. One compromised maintainer account. Game over for everyone.

The security-utility trade-off is unsolvable: "Running Moltbot safely requires running it on a separate computer with throwaway accounts, which defeats the purpose of having a useful AI assistant."

Cisco developed dedicated Skill Scanner tools. The industry built detection frameworks. Everyone's treating symptoms while ignoring the disease.

Beyond the Honeypot

The "Localhost Fallacy" lets attackers bypass authentication through misconfigured proxy headers. Typosquatted domains (moltbot[.]you, clawbot[.]ai) deliver malicious payloads through routine updates. This isn't just one vulnerability—it's architectural rot.

Moltbot isn't broken. It's working exactly as designed.

When you architect an AI system around "do whatever the user wants with maximum privileges," you've built the perfect attack platform. The only surprise is that it took hackers this long to notice the honeypot.

Every enterprise integration, every API key, every saved session becomes part of the attack surface. We're not just talking about individual losses—we're talking about supply chain compromise at unprecedented scale.

The future of agentic AI depends on solving privilege management. Until then, Moltbot remains what it's always been: the most sophisticated malware delivery system ever created, disguised as productivity software.