In 72 hours, OpenClaw became one of the fastest-growing open-source projects in GitHub history—and one of the fastest security threats.

The AI agent, developed by Peter Steinberger, racked up over 60,000 GitHub stars in its first three days after launching in late January 2026. It promised something powerful: an autonomous AI server users could command remotely from any messaging app, capable of browsing the web, executing tasks, and interacting with APIs on their behalf.

The hype was immediate. But so were the security concerns.

Security researchers quickly flagged that a large number of OpenClaw instances were deployed with default configurations and no authentication, leaving them wide open on the internet. A security audit identified over 500 vulnerabilities, including critical remote code execution flaws. Hundreds of malicious “skills” (OpenClaw extensions) were also flooding ClawHub, the project’s plugin marketplace.

The result: threat actors began hijacking these exposed servers, turning them into nodes of an emerging botnet. Compromised OpenClaw instances are being used to steal personal data, scrape websites at scale, and launch automated attacks—all while hiding behind what looks like legitimate AI agent traffic.

DataDome’s Galileo threat research team investigated. Here is what we found.

Detection & insights

Using internet-scanning platforms, we identified OpenClaw instances that share a distinctive fingerprint. We then cross-referenced this data against traffic across our customer base.

Global distribution

OpenClaw-based botnet activity is globally distributed. The highest concentration of compromised instances originates from South and Southeast Asia, with significant clusters in North America (the United States) and Europe. Smaller pockets of activity appear in South America, Africa, East Asia, and Oceania.

Infrastructure

These servers are overwhelmingly hosted on budget cloud providers, with DigitalOcean being the most common. This is consistent with the low barrier to entry that OpenClaw offers: spinning up an instance is cheap and fast, which also makes it attractive for adversaries looking for disposable infrastructure.

Targeted industries

The most impacted verticals are travel and retail/reseller platforms. These industries are frequent targets for scraping operations due to the high value of pricing, inventory, and availability data.

Adversary intent

The dominant intent behind OpenClaw botnet traffic is web scraping: harvesting product listings, pricing data, and search results at scale. We also observed a notable share of account takeover (ATO) attempts and payment-related fraud, indicating that some threat actors are leveraging these compromised agents for more aggressive operations beyond data collection.

Adversary profile

The traffic patterns from automated browsers launched from OpenClaw instances closely resemble conventional bot activity.

From a network perspective, a significant portion of these IP addresses are documented in threat intelligence databases, while others route traffic through residential or ISP proxy services. Geolocation analysis reveals substantial inconsistencies across the majority of requests, further suggesting automated origins.

Server-side fingerprinting shows that most traffic displays anomalous characteristics in both HTTP headers and TLS signatures, suggesting rudimentary scraping attempts. About 50% of all requests are dedicated to vulnerability scanning activities.

When examining client-side signatures, fewer than 25% of requests present clean server-side profiles, but they’re undermined by improbable or contradictory browser and device fingerprints when cross-referenced with other telemetry signals. Only 10% of sessions attempt to solve JavaScript challenges.

Behavioral analysis further corroborates these findings: request sequences deviate substantially from typical human browsing patterns, and sessions with initially clean fingerprints invariably display impossible state transitions as they progress, revealing their automated nature.

Detecting OpenClaw traffic

DataDome detects and blocks fraudulent OpenClaw-based botnet traffic. Our multi-layered detection engine assesses both identity and intent—combining behavioral analysis, device fingerprinting, and IP reputation—to identify these requests regardless of whether the underlying infrastructure rotates, which is common with cloud-hosted botnets.

AI agents present opportunities and risks

OpenClaw illustrates a growing pattern: as AI agent frameworks become more accessible, they also become new vectors for abuse. The ease of deploying an OpenClaw instance, combined with widespread misconfiguration, has created a pool of compromised servers that threat actors can recruit into botnets with minimal effort.

For organizations in travel, e-commerce, and retail, this is a reminder that bot traffic is evolving. Automated threats no longer come only from traditional scraping frameworks or headless browsers—they increasingly originate from hijacked AI agents that blend in with legitimate traffic patterns.

DataDome continues to monitor OpenClaw-related activity and adapt our detection models as this threat evolves. Run DataDome’s free Vulnerability Scan to ensure your site is properly protected against malicious AI agents and bad bots today. 

Authors: Brandon Foubert, Sarah Belghiti 

Contributors: Kevin Mignot, Guenaelle De Julis

Sources

• Trend Micro – What OpenClaw Reveals About Agentic Assistants
• The Register – DIY AI bot farm OpenClaw is a security ‘dumpster fire’
• Kaspersky – New OpenClaw AI agent found unsafe for use
• The Hacker News – Infostealer Steals OpenClaw AI Agent Configuration Files
• CNBC – From Clawdbot to Moltbot to OpenClaw
• BleepingComputer – The OpenClaw Hype: Analysis of Chatter from Deep and Dark Web
• CrowdStrike – What Security Teams Need to Know About OpenClaw