How are exposed OpenClaw instances being used as a botnet?

Threat actors hijack exposed OpenClaw instances with default configs and no authentication, turning them into scraping botnet nodes that harvest product listings, pricing data, and search results at scale.

Which industries are most targeted by the OpenClaw scraping botnet?

Travel and retail/reseller platforms are the most impacted verticals, targeted for the high value of pricing, inventory, and availability data.

Where are most compromised OpenClaw botnet instances located?

The highest concentration is in South and Southeast Asia, with significant clusters in North America and Europe. Most run on budget cloud providers like DigitalOcean.

How many exposed OpenClaw instances were tracked by Censys?

Censys tracked growth from approximately 1,000 to over 21,000 publicly exposed instances between January 25 and January 31, 2026.

What is the DataDome OpenClaw botnet research?

DataDome published threat research documenting how exposed OpenClaw AI agent instances are being recruited into botnets for large-scale web scraping operations targeting commercial platforms.

← Back to dashboard

clawsmith.com/signal/datadome-openclaw-scraping-botnet-budget-cloud-providers

⚠ IssueWide OpenLive

Threat actors turn exposed OpenClaw instances into scraping botnet targeting travel and retail platforms

DataDome research reveals threat actors hijacking exposed OpenClaw instances (21,000+ tracked by Censys) into scraping botnet nodes. The botnet primarily harvests product listings, pricing data, and search results at scale. Most compromised instances run on budget cloud providers like DigitalOcean, concentrated in South/Southeast Asia. Travel and retail platforms are most impacted.

Product Idea from this Signal

A reverse proxy that blocks scraping botnet recruitment of exposed OpenClaw instances by enforcing authentication, rate limiting, and command allowlisting at the network perimeter

3 ▲

DataDome research documents 21,000+ exposed OpenClaw instances being hijacked into scraping botnets targeting travel and retail platforms. Kaspersky found 512 vulnerabilities in OpenClaw with 8 critical, and nearly 1,000 installations run with zero authentication. Current security tools focus on boot-time workspace scanning or CVE checking, but nothing sits at the network layer to prevent an exposed instance from being recruited into a botnet in real time. This reverse proxy drops in front of any OpenClaw deployment and enforces auth, rate limits inbound connections, allowlists which commands can execute remotely, and blocks the scraping traffic patterns DataDome identified.

SECURITYREVERSE-PROXYOPEN-SOURCEDEVOPSNETWORK

CompetitiveView Opportunity →