14:05 ▪
5
min read ▪ by
The campaign is easy to understand and disturbing in its mechanics. Developers associated with OpenClaw were targeted on GitHub with a promise of $5,000 in $CLAW tokens, before being redirected to a fake site designed to connect and then drain their cryptocurrency wallets. OX Security documented the operation, and the OpenClaw project itself eventually announced the scam publicly.
In short
- A fake $5,000 CLAW token was used as a decoy on GitHub.
- The goal was to get users to join and then drain their crypto wallets.
- No casualties have been confirmed, but the method marks a new step.
A promise made to trigger a bad reflex
The attackers did not set the trap randomly. They created fake GitHub accounts, opened discussions in repositories they controlled, and mentioned dozens of developers, explaining that they had been “selected” to receive token allocations. The message flattered the ego, mimicked the language of the project and pushed the external link.
The fake site almost mimicked the appearance of openclaw.ai. The real difference was not noticeable at first glance. It was in the next “Connect wallet” button that was not supposed to verify the drop, but to initiate the theft. In the crypto world, this small gesture remains one of the riskiest. Especially when prompted by urgency or an easy reward.
What makes the case more serious is the technical layer behind the facade. OX Security explains that the malicious code was heavily obfuscated in the JavaScript file and that a separate command server was used to collect the data and then manage the draining of the connected wallet. So this is not clumsy spam, but an operation set up to last a few hours and disappear quickly.
Why OpenClaw became an ideal target
OpenClaw is not an obscure name. The project has seen a meteoric rise in recent months, attracting attention far beyond the usual circle of open source developers. Reuters reported in February that it had already passed 100,000 stars on GitHub and attracted 2 million visitors in a week, while Peter Steinberger joined OpenAI and the project moved under the open source foundation.
This kind of rise changes everything. When a project goes viral, its community also becomes a target base. OX researchers estimate that the attackers likely used GitHub’s “star” feature to identify profiles that already know OpenClaw. The trap then appears believable, almost personalized, and therefore much more dangerous than a generic message.
There is a broader lesson here for crypto. The modern scammer no longer only targets beginners on Telegram or Discord. Now they’re going down the chain towards developers, where technical confidence is strong, clicks are fast, and curiosity about a token associated with a trendy project can be enough to lower your guard. OpenClaw served as the perfect bait because it combined AI hype, GitHub’s visibility, and speculative imagination.
The real signal for crypto is not limited to OpenClaw
At this stage, OX Security says it has not found any confirmed victims. The malicious accounts were created last week and then deleted hours after the campaign was launched. In other words, the visible toll remains limited. But the important fact is not only the number of victims. It’s the quality of the script, its speed, and its ability to fit into your regular GitHub usage.
The most revealing detail may relate elsewhere. The malware tracked user actions using dedicated commands, transmitted encrypted data to its C2 server, and even included a so-called “nuke” function that locally erased traces of the theft. This desire to erase the consequences shows that cryptophishing is entering a more professional, quiet phase, and therefore more difficult to detect in real time.
For the crypto market, this story reminds us of a brutal fact: the next wave of scams doesn’t necessarily come from a fake influencer or a dubious memecoin. It can come from a familiar environment, a GitHub repository, a credible reward, and a simple click. When the promise looks like a technical opportunity, the trap becomes more elegant. And that’s often where it’s more effective.
Maximize your Cointribune experience with our “Read and Earn” program! Earn points for every article you read and get access to exclusive rewards. Register now and start reaping the benefits.
Fascinated by Bitcoin since 2017, Evariste has been constantly researching the topic. While his initial interest was in trading, he now actively seeks to understand all developments focused on cryptocurrencies. As an editor, he strives to consistently produce high-quality work that reflects the state of the industry as a whole.
DISCLAIMER OF LIABILITY
The views, thoughts and opinions expressed in this article are solely those of the author and should not be taken as investment advice. Before making any investment decision, do your own research.
