Qihoo 360, China's largest cybersecurity company with approximately 460 million users and a valuation of approximately $10 billion, shipped a wildcard SSL private key inside the public installer of its new AI assistant, 360 Security Lobster (360安全龙虾). The certificate was issued by WoTrus CA Limited. WoTrus is a subsidiary of Qihoo 360 and the rebranded version of WoSign, a certificate authority that was distrusted by Google Chrome, Mozilla Firefox, and Apple Safari in 2016 for backdating certificates and concealing corporate acquisitions. Six days before the key was discovered in the installer, Qihoo 360 founder Zhou Hongyi publicly promised that 360 Security Lobster would "not damage the user's system, not delete data, and not leak passwords or other private information on the user's computer." The original Chinese statement from Zhou Hongyi: 保证"龙虾"在用户电脑上不会破坏系统、不删除数据、不泄露密码等隐私信息。 What Happened ​ On March 10, 2026, Zhou Hongyi announced 360 Security Lobster (360安全龙虾), a commercial wrapper around the open-source AI agent OpenClaw. The product was positioned as a solution to OpenClaw's three primary problems: high installation barriers (usage threshold too high), unpredictable results (results too random), and security vulnerabilities (security risks too prominent). Zhou described OpenClaw as "a remarkable innovation" but likened it to "an intern" that requires patient training. 360 Security Lobster was framed as the enterprise-grade fix, reducing setup time from approximately six hours to ten minutes. A follow-up media exchange took place on March 12, and a formal launch event with live demonstration was held on March 14, 2026 at 360's headquarters in Beijing. On March 16, 2026, security researchers discovered that the installer package contained the wildcard SSL private key for *.myclaw.360.cn , stored at: /namiclaw/components/OpenClaw/openclaw.7z/credentials The discovery originated on the Chinese developer forum linux.do, in a post titled "地狱笑话：360的安全龙虾，打包了自己域名的私钥" ("Hell joke: 360's Security Lobster bundled its own domain's private key"). The findings were mirrored via channel.0w0.best and subsequently amplified by X user @realNyarime (who published the actual PEM-encoded certificate data), security researcher Lukasz Olejnik, and the International Cyber Digest. Certificate Details ​ The following details were extracted from the leaked certificate and key using OpenSSL: $ openssl x509 -in myclaw.360.cn.crt -text Certificate: Data: Version: 3 (0x2) Serial Number: 98:df:ea:fd:c4:c3:23:71:f0:ab:49 Signature Algorithm: sha256WithRSAEncryption Issuer: C=CN, O=WoTrus CA Limited Validity Not Before: Mar 12 00:00:00 2026 Not After : Apr 12 23:59:59 2027 Subject: CN=*.myclaw.360.cn The MD5 fingerprint of the RSA private key modulus matches the certificate modulus exactly: $ openssl rsa -modulus -noout -in myclaw.360.cn.key | openssl md5 MD5(stdin)= 446097b7674080186a469ecb0945f5af $ openssl x509 -modulus -noout -in myclaw.360.cn.crt | openssl md5 MD5(stdin)= 446097b7674080186a469ecb0945f5af The matching MD5 fingerprints ( 446097b7674080186a469ecb0945f5af ) confirm that the leaked file is the actual private key that signs the certificate, not just a copy of the public certificate. The wildcard certificate covers every subdomain on myclaw.360.cn . The certificate is valid until April 12, 2027. What the Leaked Key Enables ​ Anyone in possession of this private key can: Impersonate 360's servers to any client that trusts the certificate. Intercept encrypted traffic between users and the myclaw.360.cn platform via man-in-the-middle attacks. Forge login pages that are cryptographically indistinguishable from legitimate ones. Hijack AI agent sessions running through the platform. Every user who connected to any subdomain of myclaw.360.cn between the installer's release and whenever the certificate is revoked was potentially exposed. Any traffic intercepted during that period using the leaked key is retroactively compromised. Per CA/Browser Forum Baseline Requirements, certificate authorities must revoke compromised certificates within 24 hours of confirmed key compromise. WoTrus CA Issued the Certificate. Qihoo 360 Owns WoTrus. ​ This is where the story takes a turn that no other English-language report has covered. The leaked certificate was issued by WoTrus CA Limited . WoTrus is the rebranded version of WoSign CA Limited , a Chinese certificate authority. Qihoo 360 owns WoSign and, by extension, WoTrus. The name change was approved by WoTrus's board on August 24, 2017 . Hong Kong corporate registry records confirm the name history: WoSign eCommerce Services Limited (2010) to WOSIGN CA LIMITED (2013) to WoTrus CA Limited (August 24, 2017). WoSign stated the rebrand was "to clearly distinguish between WoSign old root CA certificate and the upcoming new root CA certificate." The WoSign History ​ In 2015, WoSign secretly acquired StartCom, an Israeli certificate authority founded in 1999, without disclosing the deal to bro...