In brief
- Attackers used fake GitHub accounts to tag developers, claiming they had won $5,000 in $CLAW tokens and directing them to a cloned OpenClaw site.
- OX Security said the phishing page used heavily obfuscated JavaScript and a separate C2 server to drain connected wallets and hide activity.
- The accounts were created last week and deleted within hours of launch, with no confirmed victims so far.
OpenClaw’s viral rise has drawn an ugly new side effect: crypto scammers are now using the AI agent project’s name to target developers in a phishing campaign aimed at draining their wallets.
Security platform OX Security published a report on Wednesday detailing an active phishing campaign targeting OpenClaw in which threat actors create fake GitHub accounts, open issue threads in attacker-controlled repositories, and tag dozens of developers.
The scam claims recipients have won $5,000 worth of $CLAW tokens and directs them to a site nearly identical to openclaw.ai, with one addition: a “Connect your wallet” button designed to initiate wallet theft, according to the report.
The phishing campaign surfaced weeks after OpenAI CEO Sam Altman announced OpenClaw creator Peter Steinberger would lead its push into personal AI agents, with OpenClaw transitioning to a foundation-run open-source project.
That mainstream profile and the framework’s association with one of the most prominent names in AI make its developer community an increasingly attractive target.
Threat actors post GitHub issues telling developers, “Appreciate your contributions on GitHub. We analyzed profiles and chose developers to get OpenClaw allocation.” It then directs victims to a fake site supporting several major crypto wallets.
OX Security assessed that the attackers may be using GitHub’s star feature to identify users who have starred OpenClaw-related repositories, making the lure appear more targeted and credible.
The platform’s analysis found the wallet-stealing code buried inside a heavily obfuscated JavaScript file called “eleven.js.”
After deobfuscating the malware, researchers identified a built-in “nuke” function that wipes all wallet-stealing data from the browser’s local storage to frustrate forensic analysis.
The malware tracks user actions via commands such as PromptTx, Approved, and Declined, relaying encoded data, including wallet addresses, transaction values, and names, back to a C2 server.
Researchers identified one crypto wallet address they believe belongs to the threat actor, 0x6981E9EA7023a8407E4B08ad97f186A5CBDaFCf5, used to receive stolen funds.
The accounts were created last week and deleted within hours of launch, with no confirmed victims so far, according to OX Security.
Decrypt has reached out to Peter Steinberger and OX Security for comments.
OpenClaw’s crypto magnet problem
OpenClaw, a self-hosted AI agent framework that lets users run persistent bots connected to messaging apps, email, calendars, and shell commands, hit 323,000 GitHub stars following its acquisition by OpenAI last month.
That visibility quickly attracted bad actors, with OpenClaw creator Peter Steinberger saying crypto spam flooded OpenClaw’s Discord almost “every half hour,” forcing bans and ultimately a blanket prohibition after what he described to Decrypt as “nonstop coin promotion.”
Unlike chat-based AI tools, OpenClaw agents persist, wake on a schedule, store memory locally, and execute multi-step tasks autonomously.
OX Security recommends blocking token-claw[.]xyz and watery-compost[.]today across all environments, avoiding connecting crypto wallets to newly surfaced or unverified sites, and treating any GitHub issue promoting token giveaways or airdrops as suspicious, particularly from unknown accounts.
Users who recently connected a wallet should revoke approvals immediately, the platform warned.
Daily Debrief Newsletter
Start every day with the top news stories right now, plus original features, a podcast, videos and more.
Source: https://decrypt.co/361646/openclaw-developers-lured-github-phishing-campaign
