Phishing Campaign Targets Openclaw Developers
A phishing campaign has surfaced, preying on the Openclaw community through counterfeit GitHub accounts and a cloned website, as developers are lured in with false promises of a $5,000 airdrop of nonexistent $CLAW tokens, according to reports.
The attack was identified by OX Security and reportedly exploits the rapid growth of the Openclaw ecosystem, which boasts over 200,000 GitHub stars. As the platform garners attention, attackers create fraudulent profiles impersonating project developers, convincing unsuspecting users to interact with malicious sites that imitate legitimate platforms like openclaw.ai.
Details of the Scam Uncovered
The scheme employs disposable GitHub accounts that tag users who show interest in Openclaw’s repositories. The fraudulent messages direct victims to a fake domain like token-claw.xyz, where they encounter prompts urging them to connect their wallets, such as MetaMask or WalletConnect. This process initiates hidden JavaScript code that extracts wallet data, which is then transmitted to a remote command-and-control server, subsequently leading to asset theft via automated transfers.
Experts have described these attacks as increasing in sophistication, especially as Web3 technologies become more widely adopted. With malicious actors continuously refining their techniques, the Openclaw incident emphasizes a worrying trend—developers, often seen as more informed users, are not immune to such scams.
The fact that the purported $CLAW tokens have a market cap of just $4,500 and low trading volume further underscores the scam’s fraudulent nature, as the airdrop effectively doesn’t exist at all. Openclaw’s founder, Peter Steinberger, reiterated warnings issued on March 19, 2026, advising that the project is non-commercial, and any communications or claims regarding cryptocurrency investments outside of official channels are scams.
Preventing Future Incidents
While no confirmed thefts have been reported at this time, the investigation identifies one wallet address linked to the attackers. Cybersecurity firms, including OX Security, have issued warnings urging users to avoid unverified platforms and to refrain from engaging with suspicious wallet connection prompts. They recommend that users disregard unsolicited communications about airdrops and double-check URLs before connecting wallets.
The incident serves as a stark reminder of the cyber threats emerging within crypto development. Experts recommend utilizing hardware wallets and maintaining constant vigilance regarding online engagements related to cryptocurrency projects.
As the regulatory landscape surrounding cryptocurrency continues to evolve, incidents like this could prompt greater scrutiny of Web3 technologies and security protocols. The emphasis on monitoring and improving defenses against such phishing attacks will likely remain a critical focus for developers and security professionals alike.
