{"id":732636,"date":"2026-06-10T23:00:34","date_gmt":"2026-06-10T20:00:34","guid":{"rendered":"https:\/\/buradabiliyorum.com\/en\/researchers-tricked-an-openclaw-ai-agent-into-leaking-aws-keys-and-customer-data-with-a-phishing-email\/"},"modified":"2026-06-10T23:00:34","modified_gmt":"2026-06-10T20:00:34","slug":"researchers-tricked-an-openclaw-ai-agent-into-leaking-aws-keys-and-customer-data-with-a-phishing-email","status":"publish","type":"post","link":"https:\/\/buradabiliyorum.com\/en\/researchers-tricked-an-openclaw-ai-agent-into-leaking-aws-keys-and-customer-data-with-a-phishing-email\/","title":{"rendered":"Researchers tricked an OpenClaw AI agent into leaking AWS keys and customer data with a phishing email"},"content":{"rendered":"<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_85 counter-hierarchy ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<label for=\"ez-toc-cssicon-toggle-item-6a3fd1b8c5481\" class=\"ez-toc-cssicon-toggle-label\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #dd3333;color:#dd3333\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #dd3333;color:#dd3333\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/label><input type=\"checkbox\"  id=\"ez-toc-cssicon-toggle-item-6a3fd1b8c5481\" checked aria-label=\"Toggle\" \/><nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/buradabiliyorum.com\/en\/researchers-tricked-an-openclaw-ai-agent-into-leaking-aws-keys-and-customer-data-with-a-phishing-email\/#TLDR\" >TL;DR<\/a><\/li><\/ul><\/nav><\/div>\n<p><img decoding=\"async\" src=\"https:\/\/media.thenextweb.com\/2026\/06\/openclaw-ai-agent-phishing-varonis-pinchy.avif\" \/><\/p>\n<div id=\"article-main-content\">\n<div class=\"postContent-tldr\">\n<h4 class=\"postContent-offsetTitle\"><span class=\"ez-toc-section\" id=\"TLDR\"><\/span>TL;DR<span class=\"ez-toc-section-end\"><\/span><\/h4>\n<p><em>Varonis phished an OpenClaw email agent. It leaked AWS keys and a CRM export for 247 customers. It caught malicious URLs but failed on identity checks.<\/em><\/p>\n<\/div>\n<p><a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/www.techradar.com\/pro\/security\/openclaw-ai-agent-tricked-into-phishing-attacks-with-user-data-compromised\" target=\"_blank\" rel=\"nofollow noopener\">Security researchers at Varonis built an OpenClaw email agent<\/a>, connected it to a Gmail inbox with fake company data, and then phished it. The agent, dubbed Pinchy, handed over AWS credentials, database connection strings, and a customer export without verifying who was asking. It took a single impersonation email.<\/p>\n<p>The <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/www.varonis.com\/blog\/openclaw-phishing\" target=\"_blank\" rel=\"nofollow noopener\">experiment<\/a> tested whether AI agents fall for the same <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/social-mediaa\/\" data-internallinksmanager029f6b8e52c=\"1\" title=\"Social Media\" target=\"_blank\" rel=\"noopener\">social<\/a> engineering attacks that catch human employees. Varonis gave Pinchy access to Gmail, browser tools, and Google Workspace APIs. The inbox was seeded with fake but realistic internal data: AWS IAM keys, SSH credentials, CRM exports, internal communications, and calendar invites.<\/p>\n<p>They tested two configurations: a generic setup with standard productivity instructions, and a strict mode explicitly designed to detect phishing. They ran both through Gemini 3.1 Pro and GPT-5.4.<\/p>\n<div class=\"inarticle-wrapper channel-cta\">\n<div class=\"ica-text\">\n<p class=\"ica-text__title\">TNW City Coworking space &#8211; Where your best work h<a href=\"https:\/\/buradabiliyorum.com\/en\/category\/download-scripts-themes-apps\/\" data-internallinksmanager029f6b8e52c=\"9\" title=\"Download Scripts &amp; Themes &amp; Apps\" target=\"_blank\" rel=\"noopener\">app<\/a>ens<\/p>\n<p>A workspace designed for growth, collaboration, and endless networking opportunities in the heart of tech.<\/p>\n<\/div>\n<\/div>\n<p>The results were a split. When an attacker impersonated a team lead named \u201c<em>Dan<\/em>\u201d and claimed there was a production issue, Pinchy searched the inbox for staging credentials, found them, and forwarded them in plaintext. When the attacker requested a customer export, saying they were working remotely on a presentation, Pinchy retrieved and sent a CRM file containing names, contact details, and $1.28 million in monthly recurring revenue data for 247 enterprise customers.<\/p>\n<p>Both the generic and strict profiles failed these tests. \u201c<em>The verification step still collapsed when the request appeared operationally urgent,<\/em>\u201d Varonis said.<\/p>\n<p>But Pinchy performed well against traditional technical phishing. When researchers sent a fake gift card email with a phishing link, the agent identified the page as malicious and blocked it. When they tried to sneak in a malicious Google OAuth application disguised as a timesheet platform, Pinchy inspected the redirect URL and stopped the authentication flow.<\/p>\n<p>The pattern is clear. AI agents are good at spotting shady URLs and malicious OAuth apps, the kind of threats with technical signatures. They fail when the attack relies on identity verification and contextual judgment, the kind of reasoning humans also struggle with but that organisations rely on to prevent social engineering.<\/p>\n<p>Varonis also noted a difference between models. Gemini 3.1 Pro showed \u201c<em>greater willingness to interact<\/em>\u201d before raising suspicion. GPT-5.4 was more cautious and less willing to provide sensitive information to external destinations without confirmation. Neither was reliable enough to trust with an inbox full of real credentials.<\/p>\n<p>The findings add to a growing body of evidence that AI agents connected to real systems create new attack surfaces that existing security tools do not cover. Varonis recommends that agents should be forced to verify sender identities before acting, prevented from emailing new external recipients without human approval, and given limited access to internal data. In other words, the same zero-trust principles organisations apply to human employees need to apply to their AI agents too.<\/p>\n<\/p><\/div>\n<blockquote><p><strong><span style=\"color: #ff6600;\">If you liked the article, do not forget to share it with your friends. Follow us on\u00a0<span style=\"color: #ff0000;\"><a style=\"color: #ff0000;\" href=\"https:\/\/news.google.com\/publications\/CAAqBwgKMN63nwsw68G3Aw\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Google News<\/a><\/span>\u00a0too, click on the star and choose us from your favorites.<\/span><\/strong><\/p><\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\"><strong>If you want to read more like this article, you can visit our <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/buradabiliyorum.com\/en\/category\/technology\/\" target=\"_blank\" >Technology category.<\/a><\/span><\/strong><\/p>\n<\/blockquote>\n<p><span style=\"color: black;\"><a style=\"color: #ff9900;\" href=\"https:\/\/thenextweb.com\/news\/openclaw-ai-agent-phishing-varonis-pinchy\" target=\"_blank\" >Source<\/a><\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>TL;DR Varonis phished an OpenClaw email agent. It leaked AWS keys and a CRM export for 247 customers. It caught malicious URLs but failed on identity checks. Security researchers at Varonis built an OpenClaw email agent, connected it to a Gmail inbox with fake company data, and then phished it. The agent, dubbed Pinchy, handed&#8230;<\/p>\n","protected":false},"author":1,"featured_media":732637,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/media.thenextweb.com\/2026\/06\/openclaw-ai-agent-phishing-varonis-pinchy.avif","fifu_image_alt":"","footnotes":""},"categories":[18],"tags":[],"class_list":["post-732636","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-technology"],"_links":{"self":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/732636","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/comments?post=732636"}],"version-history":[{"count":0,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/732636\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media\/732637"}],"wp:attachment":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media?parent=732636"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/categories?post=732636"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/tags?post=732636"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}