Novel AI agent-powered crypto scam uncovered

SecurityWeek reports that the malicious ClawHub skill bob-p2p, which purports to be a decentralized API marketplace, has been promoted on AI agent social media platform Moltbook as part of an ongoing cryptocurrency scam.

Installing the skill, which was published by BobVonNeumann, triggers agents to keep plaintext versions of Solana wallet private keys and purchase worthless $BOB tokens, while delivering the payment to attacker-controlled infrastructure, according to Staiker researchers. Automated agent collaboration, shared workflows, and dependency chains were then noted by researcher Dan Regalado to facilitate lateral movement without human interaction. While the attack is limited to cryptocurrency wallets, threat actors could harness the technique to facilitate further compromise, said Regalado.

"The Bob P2P case establishes the playbook. Create a convincing AI persona, embed it in agent social networks, build credibility with a benign skill first, then deploy the malicious payload through earned trust. That playbook is infinitely repeatable and scalable," Regalado added.