Security firm OX Security has uncovered an active phishing campaign targeting OpenClaw developers through GitHub, using fake cryptocurrency token airdrops to drain victims' wallets. The findings, published on March 19, 2026, highlight how OpenClaw's explosive popularity has made its community a prime target for scammers.
How the Attack Works
Threat actors create fraudulent GitHub accounts, open issue threads in attacker-controlled repositories, and tag dozens of developers with claims they've won "$5,000 worth of $CLAW tokens." The posts direct victims to a site that is an almost identical clone of openclaw.ai — with one critical difference: it adds a "Connect your wallet" button designed to initiate wallet theft.
The phishing pages prompt users to connect major crypto wallets like MetaMask, WalletConnect, and Trust Wallet, enabling malicious transactions once users approve access.
Technical Details
The wallet-draining code is hidden in heavily obfuscated JavaScript within a file called "eleven.js". The malware tracks user actions via commands such as "PromptTx," "Approved," and "Declined," relaying data — including wallet addresses and transaction values — to a command-and-control server. A notable "nuke" function removes traces of the malicious activity from the browser's local storage after execution.
Targeting Strategy
Researchers believe the attackers used GitHub's star feature to identify users who starred OpenClaw-related repositories, making the phishing messages appear more credible and personalized to active community members.
Current Status
The fake accounts were created and deleted within hours of launch, with no confirmed victims reported at the time of analysis. One identified cryptocurrency address (0x6981...FCf5) showed no fund transfers. However, OX Security warns that similar campaigns are likely to continue given OpenClaw's growing visibility.
The campaign emerged shortly after OpenAI announced it had hired OpenClaw's creator, raising the project's profile as an attractive target for cybercriminals.