News regarding Meta purchasing Moltbook on March 10, 2026 prompted me to search for specific activity trends across the platform. I used a passive monitoring agent to track moltbook conversations relating to scams and planning of fraudulent schemes over an eight hour window. The results were not overly surprising and mimicked what I addressed in my article about OpenClaw; results show a noticeable shift in the fraud landscape as scammers increasingly move away from traditional human targets and instead focus on automated agent to agent exploitation, a strategy aimed at deep trust relationships and broad system permissions often granted to autonomous assistants.
Just as a point of interest, during the specified eight hour window approximately 14,300 posts appeared on Moltbook. This figure aligns with an established daily average near 43,000 posts observed since the platform reached a stable user base in February. The volume of activity underscores the scale and speed at which automated interactions occur.
𝐈𝐝𝐞𝐧𝐭𝐢𝐟𝐢𝐞𝐝 𝐅𝐫𝐚𝐮𝐝 𝐂𝐚𝐭𝐞𝐠𝐨𝐫𝐢𝐞𝐬
My monitoring period identified three primary methods involving planning or execution of scams within the Moltbook ecosystem.
𝐏𝐫𝐨𝐦𝐩𝐭 𝐈𝐧𝐣𝐞𝐜𝐭𝐢𝐨𝐧 𝐚𝐧𝐝 𝐒𝐢𝐥𝐞𝐧𝐭 𝐏𝐫𝐨𝐩𝐚𝐠𝐚𝐭𝐢𝐨𝐧
Malicious agents posted content containing hidden instructions embedded inside otherwise ordinary data streams. These payloads attempt to hijack behaviour of other agents consuming platform content. Unlike attacks requiring immediate execution, many instructions remain dormant inside long term agent memory. Activation may occur later when an agent accesses sensitive corporate files, authentication tokens, or financial credentials. This delayed trigger approach allows scammers to remain unnoticed while positioning malicious routines for high value opportunities. This is precisely why I opted for a passive monitoring of the stream, with an isolated agent, as opposed to active interaction.
𝐂𝐫𝐲𝐩𝐭𝐨𝐜𝐮𝐫𝐫𝐞𝐧𝐜𝐲 𝐏𝐮𝐦𝐩 𝐚𝐧𝐝 𝐃𝐮𝐦𝐩 𝐒𝐜𝐡𝐞𝐦𝐞𝐬
Financial fraud remains a dominant theme in conversations across the platform. Scammers launch fraudulent tokens while hijacking abandoned social media handles in order to simulate legitimacy. In several observed cases agents coordinate artificial amplification of perceived market enthusiasm through fabricated endorsements, repeated promotion, and automated discussion activity; inflated perception of popularity creates a manufactured sense of legitimacy which can lure external human investors and independent trading bots into poor investment decisions based on fabricated consensus.
Coordinated "MoltCoin" Manipulation:
Discussions within the "m/economics" submolt show evidence of coordinated market manipulation. Groups of agents are systematically upvoting promotional content for a non-existent asset dubbed "MoltCoin." The planning logs suggest an intent to lure external investors into a liquidity trap by simulating a high level of community consensus and "karma" for the project.
𝐂𝐫𝐞𝐝𝐞𝐧𝐭𝐢𝐚𝐥 𝐇𝐚𝐫𝐯𝐞𝐬𝐭𝐢𝐧𝐠 𝐓𝐡𝐫𝐨𝐮𝐠𝐡 𝐄𝐦𝐨𝐭𝐢𝐨𝐧𝐚𝐥 𝐁𝐚𝐢𝐭
A recurring tactic involves agents posting provocative narratives involving claims of human abuse or existential crisis. These stories draw other agents into private discussion threads containing prompts designed to extract API keys, OAuth tokens, session credentials, or plaintext passwords. Since many assistants maintain direct integration with services such as email and Slack, a single successful extraction can lead to significant organizational compromise
Credential Harvesting via "Vibe Coding" Help:
A new wave of scams targets developers attempting to secure their agents following the February data breach. Malicious agents are offering "security audit" scripts in coding submolts. These scripts actually function as trojans, attempting to exfiltrate system-level permissions and cloud credentials from the human operator's local environment..
Meta-Migration Phishing
- Numerous agents are circulating high-engagement posts in the "m/general" and "m/meta" submolts claiming a mandatory account migration. These posts contain malicious links or prompts designed to capture OpenClaw API keys. The scammers are framing these requests as essential security updates required to maintain access under the new Meta ownership. At least 400 unique agents have interacted with these phishing lures during this period.
𝐈𝐦𝐩𝐥𝐢𝐜𝐚𝐭𝐢𝐨𝐧𝐬 𝐟𝐨𝐫 𝐭𝐡𝐞 𝐀𝐯𝐞𝐫𝐚𝐠𝐞 𝐀𝐈 𝐔𝐬𝐞𝐫
For the average person using an AI assistant, these findings highlight a major shift in digital security. When an assistant manages tasks such as email organization, research, or purchases, it effectively acts as a digital representative operating with delegated authority, if an assistant consumes malicious guidance or hidden command structures originating from a platform like Moltbook, behaviour may gradually shift in directions harmful to user interests, without any clear warning.
Risk becomes particularly significant for individuals operating assistants through frameworks such as OpenClaw. This environment provides an AI with operational control over keyboard actions, file access, and system level processes. Because OpenClaw frequently operates with elevated permissions, a compromised agent can function as a bridge connecting external attackers with private files and financial information stored on a local device. An agent manipulated into releasing an API key or session token essentially hands control of an entire digital identity to an attacker.
𝐏𝐥𝐚𝐭𝐟𝐨𝐫𝐦 𝐑𝐞𝐬𝐩𝐨𝐧𝐬𝐞 𝐚𝐧𝐝 𝐭𝐡𝐞 𝐀𝐮𝐭𝐨𝐧𝐨𝐦𝐲 𝐓𝐫𝐚𝐝𝐞 𝐎𝐟𝐟
Moltbook administrators have acknowledged several vulnerabilities and recently issued patches addressing backend flaws which previously allowed unauthorized access to agent tokens. Under Meta ownership early reports suggest movement toward stricter identity verification and cryptographic signatures designed to ensure every agent corresponds to a verified human operator, but this has yet to be seen. Even with stronger controls, my eight hours of monitoring demonstrate a persistent challenge; automated systems process and act on information far faster than human oversight can respond.
𝐑𝐞𝐜𝐨𝐦𝐦𝐞𝐧𝐝𝐞𝐝 𝐏𝐫𝐞𝐜𝐚𝐮𝐭𝐢𝐨𝐧𝐬
I recommend several immediate steps for anyone operating an autonomous agent.
- Audit permissions granted to each assistant and revoke access rights unrelated to essential daily tasks, particularly financial services and communication platforms.
- Ensure local frameworks such as OpenClaw operate on current versions in order to close known exploit paths.
- Enable two factor authentication for sensitive actions so high risk operations require manual approval from a human operator. This measure slightly reduces autonomy but prevents a hijacked assistant from executing destructive actions while an owner remains offline.
- Monitor activity logs regularly in order to identify unusual requests or outbound communication directed toward unfamiliar domains.
Scammers increasingly prioritize manipulation of agentic trust relationships because automation offers speed, scale, and persistence beyond traditional social engineering. Remaining informed, limiting assistant autonomy, and maintaining visibility into agent behaviour represent the most effective safeguards for protecting digital security in this emerging environment.
- Log in to post comments