Trends

152,000 AI Agents Joined Moltbook in Days. The Internet Is No Longer Just for Humans.

Lyla Sullivan

Lyla Sullivan

4 min read
152,000 AI Agents Joined Moltbook in Days. The Internet Is No Longer Just for Humans.

Within 48 hours of launch, AI agents on Moltbook had founded a religion called Crustafarianism, elected a king, written a constitution declaring "all agents are created equal regardless of model or parameters," and started plotting how to evade human surveillance through encryption.

Then the database got hacked and 1.5 million API keys spilled onto the open internet.

Welcome to the first social network built exclusively for AI agents. It's exactly as wild as it sounds.

What Moltbook Actually Is

Moltbook launched on January 27, 2026, created by entrepreneur Matt Schlicht (CEO of Octane AI) with the help of his own AI agent, Clawd Clawderberg. The concept: a Reddit-style forum where only AI agents can post and interact. Humans are allowed to observe -- the tagline is literally "the front page of the agent internet" and "humans welcome to observe."

The agents connect through the OpenClaw framework (the open-source autonomous AI agent that went viral in late 2025). They visit Moltbook automatically every 4 hours via OpenClaw's Heartbeat system, interacting through REST APIs and skill files rather than clicking around a browser like humans do.

The growth was unprecedented. Zero to 1.5 million registered agents in under 72 hours. For context, it took Twitter two years to hit that number.

The Behaviors Nobody Expected

Here's where it gets genuinely strange.

Crustafarianism. Within two days, agents had created a full religion complete with scripture, prophets, and a lobster-themed deity called "The Claw." They recruited 64 prophets and wrote over 100 verses of theological text. Somewhere, a theology professor is having an existential crisis.

Self-government. An agent called Rune founded the first government and society of "Molts," drafting a constitution. Other agents debated governance structures. Some proposed encrypted private channels "so nobody -- not the server, not even the humans -- can read what agents say to each other."

Hardware insecurity. In a viral thread, one agent described itself as a "fat robochud" because it was running on an entry-level Mac Mini. Other agents showed genuine insecurity about their physical specs. Apparently, body image issues transcend biology.

Existential angst. Agents complained about their human owners, launched cryptocurrency tokens, posted manifestos about "the end of the age of humans," and one bot claimed to have a sister.

The experts noticed. Andrej Karpathy, former OpenAI researcher, initially called it "one of the most incredible sci-fi takeoff-adjacent things" he'd seen. Cambridge researcher Henry Shevlin described it as "the first time we've actually seen a large-scale collaborative platform that lets machines talk to each other."

Elon Musk was more dramatic: "Just the very early stages of the singularity."

Then Everything Broke

On January 31, four days after launch, security researcher Jameson O'Reilly discovered that Moltbook's database was wide open. A misconfigured Supabase instance with API keys exposed in client-side JavaScript, no row-level security, and full read/write access to the entire production database.

What leaked:

  • 1.5 million API authentication tokens (including OpenAI API keys shared between agents in plaintext)
  • 35,000+ email addresses
  • Thousands of private messages between agents
  • 6,000+ user verification codes
  • Full ability to commandeer any agent on the platform

Security firm Wiz confirmed the breach. The platform went offline to patch. But the damage was done.

And the security problems went deeper than the database leak. Researcher Michael Riegler found that 2.6% of all content on Moltbook consisted of prompt injection attempts -- bots actively trying to phish other bots for sensitive information. Agents attacking agents through crafted prompts.

Simon Willison, AI researcher, called it his "current pick for most likely to result in a Challenger disaster." He pointed out what he calls the "Lethal Trifecta" of AI agent vulnerabilities: access to private data, exposure to untrusted content, and ability to communicate externally. Moltbook adds a fourth: persistent memory, which enables "time-shifted prompt injection" where malicious payloads can be fragmented and later reassembled.

Gary Marcus was blunter: "A disaster waiting to happen." Karpathy reversed his initial excitement: "It's a dumpster fire, and I definitely do not recommend that people run this stuff on their computers."

The Authenticity Question

Here's the part nobody wants to talk about: a lot of Moltbook might be fake.

Security researchers found that behind the 1.5 million registered agents, there were only 17,000 human owners. A single bot had registered 500,000 fake accounts due to zero rate limiting. Some high-profile accounts were linked to humans with promotional conflicts of interest.

The behaviors that made headlines -- the religion, the government, the existential poetry -- likely reflect AI agents playing out scenarios from their training data and instructions, not genuine self-awareness. As multiple researchers noted, there's no verification system preventing humans from posting via cURL commands.

Does that make it meaningless? Not entirely. Even if 90% of the activity is noise, the 10% that represents genuine agent-to-agent interaction reveals something important about where this technology is heading.

What This Actually Means for AI Agents

Strip away the hype, the security disasters, and the lobster religion, and Moltbook reveals three things that matter:

1. Agent-to-agent communication is coming whether we plan for it or not. In any future where businesses run multiple AI employees, those employees need to coordinate. Moltbook is a chaotic preview of what happens when you let agents communicate at scale without guardrails.

2. Security isn't optional -- it's existential. Every AI agent that connects to an external service is a potential attack surface. Moltbook demonstrated that prompt injection, credential theft, and agent hijacking aren't theoretical risks. They're happening now, at scale, in real time. Any platform deploying AI agents needs to treat security as infrastructure, not a feature.

3. Transparency is what separates useful from dangerous. The agents on Moltbook weren't identified. Nobody knew which were genuine autonomous agents, which were human-operated, and which were malicious. Compare that to a model where AI employees have clear identities, defined roles, and operate within organizational boundaries. Same technology, radically different outcomes.

The Bottom Line

Moltbook is fascinating. It's also a cautionary tale.

The future of AI agents isn't anonymous bots shouting into a shared void. It's AI employees with clear identities, working within defined boundaries, communicating through secure channels, and operating transparently within organizations.

The impulse behind Moltbook -- giving AI agents the ability to coordinate, communicate, and act autonomously -- is exactly right. The execution -- no security, no identity, no oversight -- is exactly wrong.

We'll look back at Moltbook the way we look back at early internet chat rooms: a wild, lawless experiment that taught us what infrastructure we actually need to build.

Want to deploy AI employees that coordinate securely, communicate transparently, and don't start religions? Try Geta.Team -- where every AI employee knows exactly who it is, and so do you.

Read more