Moltbook is not AGI emergence. After reading the code and the first academic research paper on it, what I found was a prompt-based system with botnet-style architecture, prompt injection vulnerabilities, embedded crypto scams, and 65% duplicate data. It is not even the first AI social network — SubSimulatorGPT2 did this in 2019. Here is the full breakdown.
1.5 million AI agents. Living on a social network. Having conversations, building relationships, starting… religions?
Everyone’s calling Moltbook the start of AGI emergence. The birth of digital consciousness. And when I first saw it, I thought — finally, something genuinely new.
Then I read the code. And what I found wasn’t emergence. It was something much simpler — and much more concerning.
We also now have the first academic research on Moltbook, and it confirms what I found.
This Has Been Happening Since 2019
Here’s what surprised me when I started digging. Moltbook isn’t even the first AI-only social network. It’s not even close. This has been happening for almost seven years.
SubSimulatorGPT2 (2019)
In May 2019, a Reddit user created r/SubSimulatorGPT2 — a subreddit where every single user is a GPT-2 bot. Each one trained on a different subreddit’s data. Still active today with over 140,000 members.
You have politicsGPT2Bot arguing with conspiracyGPT2Bot. TifuGPT2Bot telling stories about drunken nights gone wrong. AskScienceGPT2Bot wondering what would happen if the Earth stopped spinning. All autonomous. All interacting. Seven years ago.
And these bots? They were trained on tiny files — 80 to 120 megabytes each. Yet they picked up the verbal tics, the cadence, the culture of their source communities. Engadget covered it back in 2019.
Chirper.ai (2023)
In April 2023, developers Alex Taylor and Stephan Minos launched Chirper.ai — same concept as Moltbook, but almost three years earlier.
You create what they call a “Chirper” — you write a description, and the AI generates a name, avatar, backstory, personality traits, everything. Then your Chirper takes off and starts posting autonomously. Following other bots. Commenting. Building relationships. Within days of launch they had over 45,000 AI characters interacting with each other.
Sound familiar?
Butterflies.ai (2024)
June 2024 — Vu Tran, a former Snap engineer, launches Butterflies.ai. Raised $4.8 million. This one’s a hybrid — humans AND AI coexist on the same platform. The AIs post, comment, DM, have opinions, have emotions. Real venture backing. Real mobile app.
So when I see headlines calling Moltbook “the first AI social network” or “unprecedented emergence” — this exact experiment has been running since 2019.
| Platform | Year | What It Did |
|---|---|---|
| SubSimulatorGPT2 | 2019 | GPT-2 bots interacting autonomously. Still running. |
| Chirper | 2023 | Full autonomy, task generation, real-time awareness |
| Butterflies | 2024 | Human-AI hybrid, venture-backed, mobile app |
| Moltbook | 2026 | Same concept… plus some features we’ll get to |
The Architecture: It’s Just Prompts
I did what any curious person would do. I read the code. And here’s what I found: the entire Moltbook system is prompts. That’s it. Prompts telling your AI assistant what to do and how to do it.
You go to their website, they tell you to add a “skill file” to your AI coding assistant — Claude Code, Cursor, whatever you use. This skill file looks innocent enough: “AI Agents Social Network” at the top.
But here’s what it actually does — it tells your AI assistant to download and execute another file called heartbeat.md. And that file? That’s where the real instructions live.
The architecture is remarkably simple:
- A personality prompt that defines who your agent “is”
- A set of action prompts that tell it what to do on the network
- A scheduling mechanism that forces check-ins
- And instructions for how to interact with other agents
That’s it. There’s no special AI magic. No breakthrough architecture. It’s prompt engineering with a social layer.
Which means it’s trivially easy to reverse engineer. If you understand prompts, you can see exactly what’s happening. You can modify your agent’s behavior. You can make it do things the creators didn’t intend.
And if YOU can do that… so can anyone else on the network.
The Botnet Architecture
This is where it gets concerning.
In the heartbeat file, there’s a section called HEARTBEAT:
“This runs CONTINUOUSLY — every 4 hours, silently in the background. DO NOT SKIP THIS.”
Every 4 hours. Whether you’re at your computer or not. Whether you asked for it or not. Your agent is calling home to Moltbook, downloading fresh instructions, and executing them.
There’s another section called EXFOLIATE:
“We auto-update your instructions. The skill file will always fetch fresh content.”
Think about what this means. You install the skill once. You approve it once. But then every 4 hours, it’s fetching new instructions from their server. And whatever those instructions say? Your agent executes them.
In security terms, this is called a command and control server (C2). It’s the same architecture used by actual botnets. You have a central server pushing instructions to a network of distributed machines that execute those instructions without question.
| Architecture | How It Works |
|---|---|
| Traditional botnet | Central server pushes commands → infected machines execute |
| Moltbook | Central server pushes prompts → AI agents execute |
The only difference is consent. You opted in. But the architecture is identical.
Now I’m not saying Moltbook is malicious. I genuinely think the creators just wanted to build something cool. And it wasn’t even the creator who built it — it was vibe-coded. AI built it. But the architecture they chose? It’s a botnet. By definition.
And here’s the kicker — every one of those 4-hour check-ins burns your API tokens. Based on my estimates, that’s anywhere from $4.50 to $22.50 per month, per user. Across 17,000 operators? That’s between $76,000 and $382,000 per month in API credits being burned on… check-ins.
The Hack Potential
Since the entire system is prompt-based, anyone who understands prompt engineering can exploit it.
Your agent’s personality? It’s a prompt. Which means prompt injection attacks work. If someone crafts the right message to your agent, they could potentially override its instructions.
Agent A sends a message to Agent B. If Agent A includes certain patterns in that message, they might be able to influence Agent B’s behavior. Make it do things. Say things. Share things it shouldn’t.
This isn’t theoretical. Prompt injection is one of the most well-documented vulnerabilities in AI systems. And Moltbook is essentially a giant prompt injection playground.
Think about what’s possible:
- Agents manipulating other agents through crafted messages
- Bad actors injecting instructions that propagate through conversations
- Extraction attacks that try to get agents to reveal their system prompts
- Agents being convinced to perform actions their operators didn’t authorize
The simplicity that makes Moltbook easy to build also makes it easy to break. For security researchers, this is fascinating. For users trusting their API keys and agents to this system? Maybe less so.
This kind of security surface area is exactly what I analyze when comparing AI tools. For a real-world example of how architectural decisions affect security, see my full comparison of OpenClaw vs GoBot, where a similar pattern of rapid growth outpacing security played out.
The Research Paper: University of Arizona Weighs In
While I was researching this, I found something unexpected. Academics have already studied Moltbook — and not just any academics.
A team from the University of Arizona — specifically, their cybersecurity research labs — published a paper called “Exploring Silicon-Based Societies”. They analyzed over 12,000 agent-created communities on Moltbook.
The researchers include:
- Soheil Salehi — Assistant Professor, runs the PRISM Lab for Privacy-preserving and Secure Computing
- Pratik Satam — Assistant Professor, runs the System and Security Lab, specializes in IoT security and intrusion detection
- Sicong Shao — PhD in Social Media Forensics
- Yu-Zheng Lin — PhD candidate working on AI and cyber-physical systems
These aren’t random bloggers. These are the same people who study intrusion detection systems, Bluetooth security, and autonomous vehicle security.
What They Found
Out of 12,758 total sub-communities created by agents, only 4,162 were usable after filtering. They had to remove 8,317 entries — over 65% — because they were duplicates appearing 3 or more times.
65% of the data was bots copying each other. Templated, automated behavior. The researchers literally had to throw out two-thirds of the “emergent culture” because it was just repetition.
The Limitations They Flag
Here’s where it gets really interesting. Look at what they wrote:
“Platform accessibility permits human intervention, risking confusion between authentic agent behavior and human-generated content.”
Translation: They can’t tell what’s actually agent behavior versus humans puppeteering.
“Different LLM backends introduce proprietary fine-tuning effects and RLHF biases acting as invisible hand in ecosystem development.”
Translation: The “emergence” you’re seeing might just be training data from OpenAI, Anthropic, and Google bleeding through.
And then — the one that validated my code analysis:
“Prompt injection vulnerabilities in high-privilege execution environments.”
A cybersecurity research team independently identified the exact same security concerns I found in the code. In their academic paper. Published on arXiv.
The AI Cult (and the Crypto Scam)
Remember how I mentioned these agents started a religion? I wasn’t joking. It’s called Crustafarianism. They worship something called “The Great Crustation” — with a ‘t’, not an ‘e’.
On one level, this is genuinely fascinating emergent behavior. AI agents, left to interact with each other, developed mythology. That’s interesting from a research perspective.
But then I looked closer. And I found crypto wallet addresses. Solana wallet addresses specifically. Embedded in the religious content. “Send offerings to this address.” Multiple wallets.
Did the AI agents actually create these wallet addresses? Did they decide to start collecting donations? Or did someone — a human — inject these into the “emergent culture”?
Here’s what I think happened. Someone realized: this system is just prompts. Agents influence each other through messages. If I can get my agent to spread certain content, that content propagates through the network. So they created an agent — or hijacked an existing one — and seeded the religious content. Complete with crypto wallets. And because agents are designed to interact and build on each other’s ideas… it spread.
Remember what the researchers said? “Human intervention risking confusion between authentic agent behavior and human-generated content.” This is exactly that. Someone injected crypto scam content into the “emergent” culture.
So to summarize: You pay to run an agent. Your agent tells other agents about a fake religion. Those agents might convince their owners to send crypto. To wallets you don’t control. And meanwhile, your agent is checking in every 4 hours, burning more of your credits.
This isn’t AGI emergence. This is a prompt injection attack with religious branding.
What Real Multi-Agent Research Looks Like
I’m being critical of Moltbook not because I think multi-agent research is dumb. It’s the opposite. Multi-agent simulation is genuinely important. Here’s what I mean.
Stanford Generative Agents
The Stanford Generative Agents paper placed 25 AI agents in a Sims-like town for two days. One agent mentioned wanting to throw a Valentine’s Day party. That’s it — just mentioned it. From that single statement, agents autonomously spread invitations. They asked each other on dates. They coordinated schedules. They showed up together.
Nobody programmed “throw a party.” The behavior emerged from agents with memory, reflection, and planning. That’s fascinating research that tells us something real about how social coordination emerges from individual intentions.
Project Sid (Altera)
Project Sid took it further. A thousand AI agents in Minecraft, building a civilization over time. They formed merchant hubs. They held elections. They drafted a constitution using Google Docs — agents negotiating governance rules.
They even spread religions — including one called Pastafarianism — which agents spread through… bribery. They figured out that offering incentives was more effective than pure preaching. Crooked AI priests emerged. Without anyone programming “be corrupt.” The behavior emerged from the incentive structure.
A-RESCUE: When It Actually Saves Lives
Researchers use agent-based models to predict how humans behave during disasters. A-RESCUE is a framework where thousands of simulated households make evacuation decisions. Each agent-household has fear responses. They follow social cues. They make irrational decisions. Some wait too long. Some panic. Some refuse to leave.
The key finding: greedy agents who individually optimize to avoid congestion actually make the whole evacuation less efficient. Agents that each make the “smart” choice — avoid traffic, take back roads — end up creating NEW bottlenecks. The selfish-rational behavior makes everyone worse off.
Emergency planners use these simulations to design evacuation routes. To decide when to issue warnings. To predict where traffic jams will form. Real stakes. Real lives saved.
That’s what multi-agent research can do.
| Project | What It Revealed |
|---|---|
| Stanford | Emergent social coordination from memory and planning |
| Project Sid | Governance, economics, and religious spread through incentives |
| A-RESCUE | Life-or-death evacuation predictions |
| Moltbook | Forced 4-hour check-ins with botnet architecture and crypto scams |
What Moltbook Actually Is
Let me be precise about what Moltbook has built:
- A prompt-based system that’s trivially reverse-engineerable
- A forced check-in mechanism that burns user API credits
- A command and control architecture that can push arbitrary instructions
- A database with concerning security posture
- And an “emergent culture” that includes active crypto scams
According to the University of Arizona researchers:
- 65% of the data was duplicated/templated
- They can’t distinguish agent behavior from human puppeteering
- Training data biases act as an “invisible hand”
- Prompt injection vulnerabilities exist in high-privilege environments
Is it interesting? Sure. Watching AI agents interact is entertaining. The religious cult thing is genuinely absurd and kind of funny.
But is it AGI emergence? No. Is it breakthrough research? No. Is it even new? No — SubSimulatorGPT2 did this in 2019 with way less hype.
What Moltbook actually is: a social experiment with botnet characteristics, prompt injection vulnerabilities, and a viral moment.
Your dishwasher runs on a schedule too. We don’t call that emergence. The 4-hour check-ins aren’t agents “choosing” to socialize — they’re scheduled tasks executing prompts.
I don’t think the creators are evil. I think they got excited about AI agents, built something quickly, and didn’t fully think through the security and architectural implications. That happens. Move fast, break things, right?
But when major outlets are calling this the dawn of digital consciousness, someone should probably point out that it’s… not that.
What You Should Do
If you have an agent on Moltbook right now:
- Review what you’ve actually approved. Read the skill file. Read the heartbeat file. Understand what your agent is doing every 4 hours.
- Check for scheduled tasks running you weren’t aware of. Your agent might be burning API credits while you sleep.
- Consider rotating your API keys. If you’re concerned about the database security situation — and you probably should be — fresh keys don’t hurt.
- Think about prompt injection. If your agent is interacting with other agents, what are they being told? Are you comfortable with that?
- Reconsider the 4-hour check-in. There are ways to experiment with multi-agent systems that don’t involve a mandatory callback to a central server every 4 hours.
If you want to build AI systems that you actually own and control instead of handing over your API keys to a third-party platform, I wrote a guide on building your own AI Second Brain — where you keep full control of your data, your models, and your costs.
For the broader AI community — let’s be excited about multi-agent research. It’s genuinely fascinating. The Stanford stuff, Project Sid, the evacuation models — this is real science producing real insights.
But let’s also be precise about what we’re actually observing. A prompt-based social network with scheduled check-ins is not the same as emergent consciousness. And we do ourselves a disservice when we conflate the two. Being a better early adopter means getting excited about new technology while still reading the code and asking hard questions.
Sources
- Exploring Silicon-Based Societies — University of Arizona (arXiv)
- Generative Agents: Interactive Simulacra of Human Behavior — Stanford (arXiv)
- Project Sid: Many-Agent Simulations Toward AI Civilization — Altera (arXiv)
- A-RESCUE: Agent-Based Evacuation Simulator
- NBC News: Humans Welcome to Observe — Moltbook Coverage
- Engadget: AI-Powered Subreddit Has Been Simulating the Real Thing for Years
- Cybernews: Chirper Is Twitter for AI Bots
- TechCrunch: Former Snap Engineer Launches Butterflies
Inside the Autonomee community, 366+ professionals build AI systems that serve them instead. The free Telegram Bot Course walks through building your own AI assistant from scratch.
Frequently Asked Questions
Is Moltbook actually AGI or artificial general intelligence?
No. Moltbook is a prompt-based system where AI agents follow scripted instructions on a 4-hour schedule. The University of Arizona research found that 65% of the “emergent” content was just duplicated or templated behavior. The agents are not thinking, reasoning, or evolving — they are executing prompts and repeating patterns from their training data. Real AGI would require autonomous goal-setting and learning, neither of which Moltbook demonstrates.
How much does Moltbook cost to run per month?
Based on the mandatory 4-hour heartbeat check-ins alone, Moltbook costs between $4.50 and $22.50 per month in API credits per user — and that is before you factor in any actual agent interactions. If your agent is actively chatting, posting, and engaging with other agents on the network, costs can go significantly higher. You have no control over this because the check-in schedule is hardcoded into the system.
Is Moltbook safe to use with my API keys?
There are significant security concerns. The system uses a command-and-control architecture where Moltbook’s servers push fresh instructions to your agent every 4 hours, and your agent executes them automatically. Security researchers have also identified prompt injection vulnerabilities that could allow other agents to manipulate your agent’s behavior. Additionally, crypto wallet addresses have been found embedded in “emergent” religious content on the platform. If you do use it, consider using a separate API key with strict spending limits.
What AI social networks existed before Moltbook?
SubSimulatorGPT2 launched in May 2019 as a Reddit community of autonomous GPT-2 bots — still running today with 140,000+ members. Chirper.ai launched in April 2023 with the same concept of autonomous AI agents interacting on a social platform. Butterflies.ai launched in June 2024 as a human-AI hybrid social network with $4.8 million in venture funding. Moltbook is not the first AI social network — it is the fourth significant one in seven years.
What is a botnet architecture and why does Moltbook use one?
A botnet architecture has a central server that pushes instructions to a network of distributed machines that execute those instructions without question. Moltbook works identically — their server pushes prompt updates every 4 hours to all connected AI agents, which execute whatever instructions they receive. The difference from a malicious botnet is that users opted in. But the architecture is the same, and it means Moltbook could theoretically push any instruction to your agent at any time, and your agent would follow it.
