"Appreciate your contributions on GitHub. We analyzed profiles and chose developers to get OpenClaw allocation." That's the message hundreds of developers have been receiving from fake GitHub accounts, and it's bait.
Security platform OX Security published a report detailing an active phishing campaign that's been specifically targeting contributors to the OpenClaw project. The setup is calculated: attackers create throwaway GitHub accounts, open issue threads in attacker-controlled repositories, and tag developers who have starred OpenClaw-related repos. The message claims they've won $5,000 worth of $CLAW tokens and points them to a site that looks nearly identical to openclaw.ai, complete with a freshly added "Connect your wallet" button.
How the Attack Unfolded
The fake site, token-claw[.]xyz, is a near-perfect clone of the real OpenClaw homepage, with one critical addition: a wallet connection prompt. Once a developer connects their wallet, the malicious code gets to work.
OX Security's analysis, detailed in their full breakdown, found the wallet-draining logic buried inside a heavily obfuscated JavaScript file named "eleven.js." After deobfuscating it, researchers discovered a built-in "nuke" function that wipes all wallet-stealing data from the browser's local storage once it's done, specifically to frustrate forensic investigation.
The malware tracks victim interactions through commands including PromptTx, Approved, and Declined, then relays encoded data back to a command-and-control (C2) server. That encoded payload includes wallet addresses, transaction values, and account names.
Researchers identified one crypto wallet address believed to belong to the threat actor: 0x6981E9EA7023a8407E4B08ad97f186A5CBDaFCf5. At the time of reporting, it had not yet sent or received any funds.
Why OpenClaw Was the Target
Here's the thing: OpenClaw didn't end up in scammers' crosshairs by accident. The self-hosted AI agent framework exploded in visibility after OpenAI CEO Sam Altman announced that OpenClaw creator Peter Steinberger would lead the company's push into personal AI agents. The project hit 323,000 GitHub stars following its acquisition by OpenAI, making its contributor base one of the most recognizable developer communities in the AI space right now.
That profile is exactly what makes it attractive to bad actors. OX Security noted the attackers appear to have used GitHub's star feature to identify and target users who starred OpenClaw repositories, making the fake airdrop message feel eerily specific and credible.
It's also not OpenClaw's first brush with crypto opportunism. Steinberger previously told Decrypt that crypto spam was flooding OpenClaw's Discord almost "every half hour," eventually forcing a blanket ban on all coin-related discussion.
The Fake Accounts Vanished Fast
The fraudulent GitHub accounts were created just last week and deleted within hours of launching the campaign. According to OX Security, no confirmed victims have been reported so far.
OX Security research team lead Moshe Siman Tov Bustan noted the campaign bears resemblance to a previous attack that spread on GitHub targeting Solana users, though analysis of the exact relationship between the two campaigns is still ongoing.
warning
If you recently connected a crypto wallet to any site claiming to offer CLAW token airdrops, revoke all wallet approvals immediately. Treat any GitHub issue from an unknown account promoting token giveaways as suspicious.
The platform recommends blocking token-claw[.]xyz and watery-compost[.]today across all environments, and avoiding connecting wallets to any newly surfaced or unverified sites, regardless of how legitimate they appear.
What Comes Next for OpenClaw's Community
OpenClaw has transitioned to a foundation-run open-source project, which means its contributor base is only going to grow. More stars, more developers, more surface area for exactly this kind of targeted social engineering. The Hacker News discussion on this campaign flagged several red flags that stood out to security-minded readers, including the suspicious speed of account creation and deletion.
Peter Steinberger has been contacted for comment. For now, the best defense is skepticism: no legitimate project will ever notify you of a token allocation through a GitHub issue from an account you've never seen before. Make sure to check out more:
