A phishing campaign targeted OpenClaw developers on GitHub, employing fake GitHub accounts and attacker-controlled repositories where issue threads were opened to tag and message developers. The messages offered an OpenClaw token allocation and claimed the scammers had won $5,000 worth of CLAW tokens. Recipients were directed to a counterfeit site resembling openclaw.ai that included a “Connect your wallet” button intended to trigger wallet theft.
Threat actors created fake GitHub accounts and attacker-controlled repositories where they opened issue threads to tag and message OpenClaw developers. The messages offered an OpenClaw token allocation and claimed the attackers had won $5,000 worth of CLAW tokens. Recipients were directed to a counterfeit site resembling openclaw.ai that included a Connect your wallet button intended to trigger wallet theft. The attackers may have used GitHub’s star feature to identify users who starred OpenClaw repositories.
Wallet-stealing code was buried in an obfuscated JavaScript file named ‘eleven.js’. Deobfuscated malware includes a ‘nuke’ function that wipes browser localStorage to hinder forensic analysis. The malware tracks user actions using commands such as PromptTx, Approved, and Declined and sends encoded data to a command-and-control server. One wallet address associated with the threat actor is 0x6981E9EA7023a8407E4B08ad97f186A5CBDaFCf5.
Accounts used in the campaign were created last week and deleted within hours of launch. No confirmed victims have been reported.
Threat actors created fake GitHub accounts and established attacker-controlled repositories where they opened issue threads to tag and message OpenClaw developers, directly contacting contributors on the platform. The messages offered an OpenClaw token allocation and included claims that the perpetrators had won $5,000 worth of CLAW tokens. Accounts used in the campaign were created last week and deleted within hours of launch, according to observations of activity timing. No confirmed victims have been reported to date.
Observers noted the attackers may have leveraged GitHub’s star feature to identify users who starred OpenClaw repositories and then targeted those individuals. A single wallet address has been associated with the threat actor: 0x6981E9EA7023a8407E4B08ad97f186A5CBDaFCf5. Cybersecurity researchers said they are still analyzing the behavior and the relation of these campaigns. The activity pattern included rapid account creation followed by deletion within hours.
The OpenClaw GitHub phishing campaign demonstrated targeted, deceptive activity on a popular developer platform, using fake accounts and attacker-controlled repositories to contact contributors and direct them to fraudulent sites. This campaign poses a clear security threat to developers and the wider crypto community, highlighting vulnerabilities arising from platform-based social engineering and the potential for wallet compromise.
