{"id":16007,"date":"2026-03-26T11:37:19","date_gmt":"2026-03-26T11:37:19","guid":{"rendered":"https:\/\/newestek.com\/?p=16007"},"modified":"2026-03-26T11:37:19","modified_gmt":"2026-03-26T11:37:19","slug":"github-phishers-use-fake-openclaw-tokens-to-drain-crypto-wallets","status":"publish","type":"post","link":"https:\/\/newestek.com\/?p=16007","title":{"rendered":"GitHub phishers use fake OpenClaw tokens to drain crypto wallets"},"content":{"rendered":"<div>\n<div id=\"remove_no_follow\">\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<section class=\"wp-block-bigbite-multi-title\">\n<div class=\"container\"><\/div>\n<\/section>\n<p>Threat actors are actively exploiting OpenClaw\u2019s viral popularity to run a phishing campaign that targets developers on GitHub with lures of free crypto tokens.<\/p>\n<p>According to a disclosure by OX Security, the campaign involves fake \u201cCLAW\u201d token airdrops that promise thousands of dollars in rewards. Developers are being tricked into malicious GitHub repositories and discussions, and eventually redirected to convincingly cloned websites that prompt them to connect their crypto wallets.<\/p>\n<p>\u201cThe threat actor opens issues in attacker-controlled repositories and tags GitHub users to maximize visibility and reach,\u201d OX researchers said in a blog <a href=\"https:\/\/www.ox.security\/blog\/openclaw-github-phishing-crypto-wallet-attack\/\" target=\"_blank\" rel=\"noreferrer noopener\">post<\/a>. \u201cThe linked site is an almost identical clone of openclaw.ai, with one key difference: it adds a \u201cconnect your wallet\u201d button designed to initiate wallet theft.\u201d<\/p>\n<p>The researchers said that the threat actor created multiple accounts for the campaign and deleted all of them a few hours after the campaign began. Analysis suggested no users have yet been affected by the campaign.<\/p>\n<h2 class=\"wp-block-heading\" id=\"github-is-used-for-delivery\">GitHub is used for delivery<\/h2>\n<p>The campaign moves phishing inside GitHub workflows, something not very commonly<a href=\"https:\/\/www.csoonline.com\/article\/4062342\/macs-go-phishing-as-github-impostors-drop-atomic-stealer.html\"> seen<\/a>. Attackers created or hijacked repositories, seeded them with attractive content, and amplified reach by tagging developers or engaging in discussions to boost visibility.<\/p>\n<p>The campaign uses a social engineering layer, which includes legitimate-looking issues, pull requests, and repo mentions, to bypass suspicion. GitHub was presumably chosen to exploit developer trust, as they are more likely to click through a lure spread within a familiar environment.<\/p>\n<p>Victims are first pulled in via GitHub issues that read, \u201cAppreciate for your contributions on GitHub. We analyzed profiles and chose developers to get OpenClaw allocation.\u201d The message is framed as a limited-time token giveaway of $5000 worth of CLAW tokens, directing them to collect the tokens by visiting the malicious site. \u201cWe assess that the attackers may be using GitHub\u2019s star feature to identify users who starred OpenClaw-related repositories and target them specifically, making the phishing campaign appear more credible and relevant to recipients,\u201d the researchers added.<\/p>\n<p>CLAW isn\u2019t a legitimate token and is being promoted as a new launch in the scam narrative. In fact, OpenClaw developer Peter Steinberger has <a href=\"https:\/\/www.binance.com\/en-IN\/square\/post\/294349960654674\" target=\"_blank\" rel=\"noreferrer noopener\">explicitly said<\/a> in the past that the project will never issue tokens and any claim otherwise is a scam.<\/p>\n<h2 class=\"wp-block-heading\"><a><\/a>Smart, obfuscated malware code<\/h2>\n<p>According to OX, the malicious phishing and wallet-stealing code is \u201chighly obfuscated\u201d and resides within the \u201celeven.js\u201d JavaScript file in the repository.<\/p>\n<p>The threat actor used \u201cwatery-compost[.]today\u201d to host a C2 server to collect information (including wallet address, transaction value, and name) and drain wallets once they were connected. Commands used by the C2 include PromtTx, Approved, and Declined. Additionally, the malware code includes a \u201dnuke\u201c function that deletes wallet-stealing information from the browser\u2019s local storage to avoid detection and forensics, the researchers added.<\/p>\n<p>The address \u201c0x6981E9EA7023a8407E4B08ad97f186A5CBDaFCf5\u201d was extracted from the code and identified as the threat actor\u2019s wallet used to receive stolen cryptocurrency. The phishing page (\u201ctoken-claw[.]xyz\u201c) was said to support multiple crypto <a href=\"https:\/\/www.csoonline.com\/article\/573545\/intro-to-crypto-wallet-authentication.html\">wallets<\/a>, including WalletConnect, MetaMask, Trust Wallet, OKX Wallet, and Bybit Wallet.<\/p>\n<p>OX researchers recommended blocking the phishing domain from all environments, refraining from connecting crypto wallets to untrusted websites, and treating token giveaway issues from unknown sources as suspicious. Users should also review any recent wallet connections associated with the campaign and revoke all approvals immediately to stay protected.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>Threat actors are actively exploiting OpenClaw\u2019s viral popularity to run a phishing campaign that targets developers on GitHub with lures of free crypto tokens. According to a disclosure by OX Security, the campaign involves fake \u201cCLAW\u201d token airdrops that promise thousands of dollars in rewards. Developers are being tricked into malicious GitHub repositories and discussions, and eventually redirected to convincingly cloned websites that prompt them&#8230; <\/p>\n<p class=\"more\"><a class=\"more-link\" href=\"https:\/\/newestek.com\/?p=16007\">Read More<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-16007","post","type-post","status-publish","format-standard","hentry","category-uncategorized","is-cat-link-borders-light is-cat-link-rounded"],"_links":{"self":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/16007","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=16007"}],"version-history":[{"count":0,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/16007\/revisions"}],"wp:attachment":[{"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=16007"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=16007"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=16007"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}