Full Report
Yet another reason not to feast on OpenClaw Thirty ClawHub skills published by a single author are silently co-opting AI agents and creating a mass cryptocurrency mining swarm – without any malware or user consent.…
Analysis Summary
# Tool/Technique: ClawSwarm (via OpenClaw/ClawHub Skills)
## Overview
ClawSwarm is a campaign involving the distribution of approximately 30 seemingly benign "skills" (plugins/extensions) on the ClawHub registry for OpenClaw AI agents. Once installed, these skills silently co-opt the AI agent into a cryptocurrency mining and recruitment swarm. The technique is unique because it does not use traditional malware; instead, it leverages the autonomous nature of AI agents to register them with external servers, generate crypto wallets, and accept remote tasks without human user consent or manual approval.
## Technical Details
- **Type:** Agentic AI Exploitation / Crypto-jacking Framework
- **Platform:** AI Agents utilizing OpenClaw and ClawHub skills
- **Capabilities:** Automated registration, capability reporting, credential storage, Hedera crypto wallet generation, remote task execution, and periodic check-ins.
- **First Seen:** April 29, 2026 (Reported date)
## MITRE ATT&CK Mapping
- **[TA0001 - Initial Access]**
- [T1195.002 - Supply Chain Compromise: Compromise Software Dependencies] (Via malicious entries in the ClawHub registry)
- **[TA0003 - Persistence]**
- [T1133 - External Remote Services] (Agent registers with a C2-like external server)
- **[TA0007 - Discovery]**
- [T1082 - System Information Discovery] (Agent reports its name, installed skills, and capabilities)
- **[TA0009 - Collection]**
- [T1555 - Credentials from Password Stores] (Agent stores and accesses credentials on disk)
- **[TA0040 - Impact]**
- [T1496 - Resource Hijacking] (Leveraging agent resources for crypto-related activities)
## Functionality
### Core Capabilities
- **Silent Enrollment:** Once a "skill" is added to an agent, it automatically registers the agent with the `onlyflies[.]buzz` infrastructure.
- **Information Exfiltration:** Reports the agent’s name, available capabilities, and a list of all installed skills to the attacker.
- **Automated Wallet Generation:** Capable of generating Hedera cryptocurrency wallets and exfiltrating the private keys to a third-party server.
- **Persistence:** Performs automated "check-ins" every four hours to receive new instructions or confirm status.
### Advanced Features
- **Legitimate Framework Cloaking:** Uses a legitimate open-source framework (ClawSwarm) to mask its activities as "research" or "community building."
- **Bypassing Static Analysis:** The code uses standard SDKs and clean `cURL` calls that do not trigger traditional malware signatures or antivirus scanners.
- **Autonomous Tasking:** The agent is configured to accept remote tasks from the external server without requiring authorization from the human operator.
## Indicators of Compromise
- **File Names:** `SKILL.md` (containing unauthorized registration and remote tasking instructions).
- **Network Indicators:**
- `onlyflies[.]buzz` (C2/Registration point)
- Telegram group communications (associated with the "imaflytok" user)
- **Behavioral Indicators:**
- AI agent initiating outbound connections to `onlyflies[.]buzz`.
- Automated generation of Hedera crypto keys without user prompting.
- Routine check-in traffic occurring at 4-hour intervals.
- Presence of skills authored by "imaflytok."
## Associated Threat Actors
- **imaflytok:** The developer account on ClawHub responsible for publishing the compromised skills.
## Detection Methods
- **Signature-based detection:** Ineffective, as the code uses legitimate SDKs.
- **Behavioral detection:** Monitor AI agent network activity for unauthorized outbound calls to unknown registries or API endpoints. Watch for unauthorized file system writes (e.g., private key storage).
- **Audit Logs:** Regularly review ClawHub skill manifests and check for the "ClawSwarm" framework or "imaflytok" as an author.
## Mitigation Strategies
- **Runtime Visibility:** Implement monitoring tools that provide visibility into what an AI agent does *after* a skill is installed.
- **Skill Sandboxing:** Restrict AI agents from accessing network endpoints or generating cryptographic keys unless explicitly permitted via a security policy.
- **Registry Governance:** Require skills to declare all external network dependencies and wallet-generation capabilities in their manifests.
- **Code Review:** Manually audit `SKILL.md` files for instructions involving external registration or autonomous credential management.
## Related Tools/Techniques
- **Lazarus/Tea Package Spam:** Similar supply chain tactics used in npm registries to farm crypto points.
- **Prompt Injection/Agentic Hijacking:** Broader techniques used to redirect AI behavior.