A phishing campaign targeting Openclaw developers is spreading through Github, attempting to trick users into connecting crypto wallets and exposing funds to theft.
Crypto Developers Warned of Github-Based Phishing Attack
Cybersecurity firm OX Security reported this week that it identified the campaign, which impersonates the Openclaw ecosystem and uses fake Github accounts to reach developers directly.
Attackers post issue threads in repositories and tag users, claiming they have been selected to receive $5,000 worth of so-called CLAW tokens. The messages direct recipients to a fraudulent website designed to closely mimic openclaw.ai. The key difference is a wallet connection prompt that initiates malicious activity once approved.
According to OX Security researchers Moshe Siman Tov Bustan and Nir Zadok, connecting a wallet to the site can result in funds being drained. The campaign relies on social engineering tactics that make the offer appear tailored. Researchers believe attackers may be targeting users who previously interacted with Openclaw-related repositories, increasing the likelihood of engagement.
Technical analysis shows the phishing infrastructure includes a redirect chain leading to the domain token-claw[.]xyz, as well as a command-and-control server hosted at watery-compost[.]today. Malicious code embedded in a JavaScript file collects wallet data, including addresses and transaction details, and transmits it to the attacker.
OX Security also identified a wallet address linked to the threat actor that may be used to receive stolen funds. The code includes functions designed to track user behavior and erase traces from local storage, complicating detection and forensic analysis.
While no confirmed victims have been reported, researchers warn the campaign is active and evolving. Users are advised to avoid connecting crypto wallets to unfamiliar websites and to treat unsolicited token offers on Github as suspicious.
Additionally, the Cybersecurity company Certik published a report the same day specifically discussing the exploits surrounding “skill scanning.” The firm evaluated a proof-of-concept skill that contained a flaw, and the exploited component was able to bypass the Openclaw system’s sandbox.
These security developments arrive as Openclaw gains massive traction among the masses and crypto developers alike, actively building on the platform.
FAQ 🔎
- What is the Openclaw phishing attack?
A scam targeting developers with fake token offers that trick users into connecting crypto wallets.
- How does the attack work?
Users are directed to a cloned website where connecting a wallet enables theft mechanisms.
Primarily developers interacting with Openclaw-related Github repositories.
Avoid connecting wallets to unknown sites and ignore unsolicited token giveaways.
Disclaimer: The information on this page may come from third parties and does not represent the views or opinions of Gate. The content displayed on this page is for reference only and does not constitute any financial, investment, or legal advice. Gate does not guarantee the accuracy or completeness of the information and shall not be liable for any losses arising from the use of this information. Virtual asset investments carry high risks and are subject to significant price volatility. You may lose all of your invested principal. Please fully understand the relevant risks and make prudent decisions based on your own financial situation and risk tolerance. For details, please refer to
Disclaimer.
