In January 2026, when a popular AI assistant by the name of Clawdbot was forced to rebrand as Moltbot due to a trademark dispute, cybercriminals wasted no time. Within days, fake domains, cloned repositories, and polished impersonation websites appeared, perfectly positioned to catch unsuspecting users.
This incident highlights a deceptively simple but devastatingly effective attack method: typosquatting. One typo or a moment of confusion can send users straight into a trap.
What is Typosquatting? Link to heading
Typosquatting is when attackers register domain names that are deliberately similar to legitimate websites, exploiting common typing errors or alternative spellings. The tactic relies on human mistakes: mistyped URLs, confusion during re-brands, or simple inattention.
Common techniques include:
- Character Substitution: This involves replacing letters with similar characters or numbers. For example g00gle instead of google. Some common characters to be used are &#x.
- Simple Typos: These are simple mistakes that happen when typing a url, such as gooogle.com or faccebook.com.
- Homograph attacks: Using characters from different alphabets that look identical.
The Moltbot Attack: A Textbook Example Link to heading
When Clawdbot rebranded to Moltbot, attackers immediately registered sites like moltbot[.]you, clawbot[.]ai, and clawdbot[.]you. They cloned the GitHub repository and built a professional-looking website complete with:
- SEO optimization to rank highly in search results
- False attribution to the real developer, Peter Steinberger
- Stolen credibility stats (61,500+ GitHub stars from the real project)
- A mix of legitimate and fraudulent links to pass casual verification
Here is the scary part: security researchers found no malware in the cloned code. It was identical to the legitimated project. This isn’t reassuring and its strategic. The attackers are playing the long game, establishing trust now to deliver malicious updates later when the user are least expecting it.
Once a user install the application from the fake repository and configure it with there API key(s) and credentials, a future\routine update could harvest everything: Anthriopc API keys, messaging tokens, conversation history, and event commands.
Why Typosquatting Still Works Link to heading
- Everyone makes typos: even tech-savvy users have moments of distraction
- Rebrands create confusion: users don’t know the new official domain
- Search engines can be game:d fake sites often rank as high as real ones
- Professional design builds trust: people don’t scrutinize URLs if a site looks legitimate
How to Protect Yourself Link to heading
For users:
- Bookmark official sites and always use bookmarks instead of search
- Verify GitHub organization names and account ownership before installing
- Double-check URLs in the address bar, especially for HTTPS and misspellings
- Be extra cautious during rebrands and transitions
For project maintainers:
- Pre-register likely typosquat domains before announcing a rebrand
- Claim new identities before releasing old ones to avoid gaps attackers can exploit
- Monitor for cloned repositories and similar domain registrations
- Communicate official channels clearly and repeatedly during transitions
The Bottom Line Link to heading
Typosquatting exploits the most human part of our digital lives: we make mistakes. The Moltbot incident shows how quickly and professionally attackers can capitalize on confusion, especially during transitions and rebrands.
The shift to patient, long-game attacks is particularly worrying. Clean code today doesn’t mean safe code tomorrow. Trust must be constantly verified, never assumed. One typo shouldn’t cost you your credentials, but in todays threat landscape, it absolutely can.
Stay vigilant. Double-check URLs. Bookmark your trusted sites. Because somewhere out there, an attacker is registering domains and waiting for you to slip up.
Source: Malwarebytes Labs,Clawdbot rename to Moltbot sparks impersonation campaign (January 2026)