How many OpenClaw instances have been compromised by hacking groups?

Over 30,000 OpenClaw instances have been compromised. Flare analysts detected multiple hacking groups stealing API keys, intercepting messages, and deploying info-stealing malware via Telegram and other channels.

What percentage of exposed OpenClaw instances lack authentication?

63% of exposed OpenClaw instances operate without any authentication, making them trivial targets for automated exploitation.

What data do hackers steal from compromised OpenClaw instances?

Attackers steal API keys for services like OpenAI, Anthropic, and other providers, intercept private messages, and deploy infostealer malware that harvests credentials from the host system.

How can I protect my OpenClaw instance from exploitation?

Enable authentication on all endpoints, restrict network access to trusted IPs, rotate all API keys regularly, audit installed skills for malicious code, and keep OpenClaw updated to the latest version.

When did the OpenClaw exploitation campaigns begin?

The first major campaign (ClawHavoc) was detected on January 29, 2026, followed by Automated Skill Poisoning in early February. Exploitation has been continuous since.

← Back to dashboard

clawsmith.com/signal/openclaw-hacking-groups-30k-compromised-api-key-malware

⚠ IssueWide OpenLive

Multiple Hacking Groups Exploit 30K+ OpenClaw Instances to Steal API Keys and Deploy Malware

Flare analysts observed over 30,000 compromised OpenClaw instances used to steal API keys, intercept messages, and distribute info-stealing malware. 63% of exposed instances operate without authentication. Active campaigns detected since January 2026.

Product Idea from this Signal

A CI/CD security gate that blocks OpenClaw deployments failing CVE, config, and network exposure checks

892 ▲

OpenClaw has accumulated 138+ CVEs in under 3 months, with 220,000+ instances exposed to the internet and 63% running without authentication. Kaspersky declared it unsafe for use. Existing tools (SecureClaw, Carapace, ClawSec) run audits after deployment, but nothing blocks a bad deployment from going live. This is a pre-deploy security gate that integrates into CI/CD pipelines, runs automated CVE version checks, config hardening validation, and network exposure scans, and fails the deploy if the instance doesn't meet a configurable security baseline.

CLICI-CDSECURITYDEVOPSOPEN-SOURCE

CompetitiveView Opportunity →