OpenClaw Developers Lured in GitHub Phishing Campaign Targeting Crypto Wallets

OpenClaw’s viral rise has drawn an ugly new side effect: crypto scammers are now using the AI agent project’s name to target developers in a phishing campaign aimed at draining their wallets. 

Security platform OX Security published a report on Wednesday detailing an active phishing campaign targeting OpenClaw in which threat actors create fake GitHub accounts, open issue threads in attacker-controlled repositories, and tag dozens of developers. 

The scammer posts GitHub issues telling developers, “Appreciate your contributions on GitHub. We analyzed profiles and chose developers to get OpenClaw allocation,” and claims they have won $5,000 worth of $CLAW tokens, directing them to a fake website that closely resembles openclaw.ai. The site includes an added “Connect your wallet” button designed to trigger wallet theft.

OX Security research team lead and a co-author of the report, Moshe Siman Tov Bustan, told Decrypt they uncovered evidence the scam attempt bears resemblance to a campaign that "spread on GitHub, relating to Solana."

"[We're still] analyzing the behavior and the relation of these campaigns," Bustan added.

The phishing campaign surfaced weeks after OpenAI CEO Sam Altman announced OpenClaw creator Peter Steinberger would lead its push into personal AI agents, with OpenClaw transitioning to a foundation-run open-source project. 

That mainstream profile and the framework's association with one of the most prominent names in AI make its developer community an increasingly attractive target.

OX Security said it had previously assessed the attackers may be using GitHub's star feature to identify users who have starred OpenClaw-related repositories, making the lure appear more targeted and credible.

The platform’s analysis found the wallet-stealing code buried inside a heavily obfuscated JavaScript file called "eleven.js."

"According to who that was targeted and the user's reports on GitHub," the campaign targeted only users who "starred the OpenClaw GitHub repository," Bustan said. "During our analysis, we found only one address belonging to the threat actor, which hadn't sent or received any funds yet."

After deobfuscating the malware, researchers identified a built-in "nuke" function that wipes all wallet-stealing data from the browser's local storage to frustrate forensic analysis. 

The malware tracks user actions via commands such as PromptTx, Approved, and Declined, relaying encoded data, including wallet addresses, transaction values, and names, back to a C2 server.

Researchers identified one crypto wallet address they believe belongs to the threat actor, 0x6981E9EA7023a8407E4B08ad97f186A5CBDaFCf5, used to receive stolen funds. 

The accounts were created last week and deleted within hours of launch, with no confirmed victims so far, according to OX Security.

Decrypt has reached out to Peter Steinberger for comment.

OpenClaw's crypto magnet problem

OpenClaw, a self-hosted AI agent framework that lets users run persistent bots connected to messaging apps, email, calendars, and shell commands, hit 323,000 GitHub stars following its acquisition by OpenAI last month. 

That visibility quickly attracted bad actors, with OpenClaw creator Peter Steinberger saying crypto spam flooded OpenClaw’s Discord almost “every half hour,” forcing bans and ultimately a blanket prohibition after what he described to Decrypt as “nonstop coin promotion.”

Unlike chat-based AI tools, OpenClaw agents persist, wake on a schedule, store memory locally, and execute multi-step tasks autonomously.

OX Security recommends blocking token-claw[.]xyz and watery-compost[.]today across all environments, avoiding connecting crypto wallets to newly surfaced or unverified sites, and treating any GitHub issue promoting token giveaways or airdrops as suspicious, particularly from unknown accounts. 

Users who recently connected a wallet should revoke approvals immediately, the platform warned. 

Editor's note: Adds comment from OX Security's Bustan