Scammers Are Using OpenClaw’s Popularity to Drain Developers’ Crypto Wallets on GitHub

OpenClaw, the open-source AI agent launched in November 2025 that lets users run autonomous tasks locally via WhatsApp or Telegram, and which has accumulated 324,000 GitHub stars to rank ninth among all repositories globally, has attracted a wave of opportunistic attacks targeting its developer community. 

The latest was identified Wednesday by OX Security, which found attackers scraping the GitHub API to identify users who had starred OpenClaw-related repositories, then creating fake accounts and tagging those developers with a message claiming they had been “chosen” to receive a token allocation. 

The message directed them to token-claw[.]xyz, a near-identical clone of openclaw.ai, routed through a Google link shortener that bypassed standard email security filters.

The cloned site had one addition: a “Connect your wallet” button. Connecting activated a wallet drainer kit, malicious software that, once a user signs a transaction prompt, transfers tokens from their wallet to an attacker-controlled address. 

OX found the code heavily obfuscated inside a file named eleven.js, with a separate command-and-control server at watery-compost[.]today receiving encoded data tracking whether users completed or declined wallet connection prompts. 

The kit also contained a “nuke” function deleting wallet-stealing code from the browser’s local storage after execution to hinder forensic recovery. The fake accounts were created last week and removed within hours of being flagged. One wallet address believed to belong to the attacker has been identified: 0x6981E9EA7023a8407E4B08ad97f186A5CBDaFC.

Why Developers Are the Target

The focus on developers seems to be deliberate. Those working with AI agent tooling are more likely to hold crypto wallets for Web3 testing, and more likely to find a token allocation from a prominent open-source project plausible. 

Targeting by GitHub stars made the messages appear credible. OX Security research lead Moshe Siman Tov Bustan told Decrypt the campaign resembles a previously observed GitHub phishing operation relating to Solana, with analysis ongoing. 

By routing notifications through GitHub’s own email infrastructure, the messages passed SPF, DKIM, and DMARC authentication checks, the standard protocols most spam filters rely on, making automated blocking harder.

A Pattern, Not an Isolated Incident

This attack is part of a broader pattern. In early February, Malwarebytes and Huntress documented fake OpenClaw Windows installers on GitHub surfaced by Bing search results, delivering Vidar infostealer malware that harvested credentials and crypto wallets.

Between January 27 and February 1, more than 230 malicious packages were uploaded to ClawHub, OpenClaw’s skill marketplace, posing as trading tools while exfiltrating API keys and wallet private keys. 

A malicious npm package named @openclaw-ai/openclawai, identified by JFrog and tracked as GhostClaw, was found on March 3 deploying a persistent remote access trojan, software that gives an attacker ongoing control of a device, monitoring clipboard content for private keys and wallet addresses before being removed on March 10. 

Creator Peter Steinberger said in January that he would never issue a token and any project listing him as a coin owner is a scam. He repeated the warning this week. OX Security recommends blocking token-claw[.]xyz and watery-compost[.]today, and revoking wallet approvals granted to unfamiliar platforms in the past week.