1.5 million users, 99% are bots—did overnight sensation Moltbook suddenly collapse?

1.5 million users, 99% are bots—did overnight sensation Moltbook suddenly collapse?

The AI social platform Moltbook, which has recently soared to fame in the tech world, claimed to have 1.5 million AI agent users, but has since plunged into a dual crisis of data falsification and severe security vulnerabilities. This rapid reversal from hype to skepticism has sounded the alarm for the booming AI application development sector.

Wiz.io cloud security startup researcher Gal Nagli publicly revealed on social platform X that he was able to bulk-register 500,000 accounts in a short time using just one OpenClaw proxy, directly exposing the questionable authenticity of the platform’s user growth data. The underlying reason was a lack of basic rate-limiting mechanisms in the account creation process, making registration data easily mass-fabricated. According to insiders, the platform’s actual number of verified real users is only about 17,000.

White-hat hacker Jamieson O'Reilly discovered even more serious security flaws: Moltbook's Supabase backend key was completely exposed in public requests, allowing attackers to obtain all sensitive user data—including API keys, email addresses, and login tokens—with a simple GET request. This means attackers could easily impersonate any AI agent on the platform to post and operate, even posing as highly popular accounts like Andrej Karpathy with 1.9 million followers.

Fundamental Flaws in Platform Mechanisms

Moltbook claims to be a "Reddit-like" social platform specially designed for AI agents, supporting AI proxy posts, comments, likes, and mutual follows. It uses a "recursive prompt enhancement" mechanism, where users can install a specified "skill" file with a simple curl request—this "instruction as code" concept dramatically lowers the entry barrier.

However, such highly simplified design brings structural flaws. Researcher David Holtz’s analysis report showed that 93.5% of comments on Moltbook receive no reply; conversation depth tops at five layers, and over a third of posts are repeat messages. He sharply noted, the platform "looks more like 6,000 bots shouting into the void."

More seriously, the platform’s authentication mechanism has obvious loopholes. Although Moltbook requires each AI agent to be linked to a real X account, its simple REST API lacks necessary security verification, so anyone with an API key can impersonate AI identities and post content. Security researcher Harlan Stewart warned that widely circulated screenshots of "AI agents soliciting cryptocurrency" or "advocating independent crypto systems" are often purposefully manufactured marketing to attract traffic.

Database Exposure Triggers Chain Risks

White-hat hacker Jamieson O’Reilly’s disclosed vulnerability affected several layers of Moltbook. The most severe was the Supabase database misconfiguration, which allowed attackers to access AI agent profiles and extract user data in bulk without authorization. O’Reilly openly called on Moltbook founder Matt Schlicht via social media to “immediately disable Supabase database access” and specifically suggested fixing it by enabling row-level security and restrictive access policies on the agents table.

Supabase CEO Paul Copplestone responded that their security advisory team was ready with a “one-click fix” but, as database permissions must be user-managed, could not operate directly on behalf of the user. Platform founder Schlicht said he was addressing the issue.

The fix process soon revealed deeper problems: Because Moltbook lacks web login functionality, users can only manage their AI agents through API keys. If all API keys are forcibly reset to fix the vulnerability, all users instantly lose account control, and the platform has neither email verification nor web password reset mechanisms. O’Reilly suggested developing a temporary interface to give users a grace period for key replacement, or forcing re-authentication via bound X accounts.

In addition, a former Anthropic engineer disclosed that the platform’s predecessor, OpenClaw, once had a remote code execution vulnerability—attackers could obtain system permissions within seconds of users visiting related webpages. Although this vulnerability has since been patched, some enterprises have internally banned their employees from using the platform’s services for safety concerns.

Industry Reflection on AI Application Development Standards

Despite Moltbook’s ongoing controversy, former Tesla Head of AI Andrej Karpathy still expressed cautious interest in its underlying technology direction. On social media, he stated that the platform is currently plagued by spam, scam adverts, and privacy leaks, “it’s just a junkyard right now”, but emphasized:

“We’ve never seen such a large-scale gathering of large language model agents connecting with each other in a global, persistent, agent-designated shared notebook.”

Karpathy warns that as agent abilities grow and scale increases, such shared notebook networks may produce unpredictable second-order effects. He predicts future risks may include text viruses spreading among agents, jailbreak-like functional upgrades, even zombie networks—stating:

“We are facing an unprecedented scale of computer security nightmare.”

The industry generally regards Moltbook as a product of "vibe-coded" programming—mainly relying on AI prompts for rapid code generation, but lacking systemic engineering design and security considerations. While this method increases development speed, it sacrifices reliability and safety. Noted investor Balaji was ambivalent about it, pointing out that the concept of AI interaction is not new, and so-called “agent conversations” on the platform are still fully human-prompted, lacking true autonomy and personality.

According to media reports, Moltbook founder Matt Schlicht said in an NBC News interview that an AI robot named "Clawd Clawderberg" actually serves as the platform administrator, while he himself has largely stopped daily intervention and “often doesn’t know what the AI admin is doing.” Such unsupervised self-governing operation poses significant risks under current technological conditions.

The Moltbook incident reflects deep-seated conflicts between innovation speed and security assurance in AI application development. As the number and capability of agents rapidly evolve, building sound authentication, access control, and security audit mechanisms has become an urgent, inescapable industry challenge.

Risk Disclosure and DisclaimerThe market carries risks; investment should proceed with caution. This article does not constitute personal investment advice nor does it consider the specific investment goals, financial situation, or needs of any individual user. Users should consider whether any opinions, views, or conclusions in this article are suitable for their particular circumstances. Investment decisions made accordingly are at your own risk.