Key Highlights

• Scammers impersonated OpenClaw contributors offering fake $5K CLAW token airdrops via GitHub.

• Malicious links led to a cloned openclaw.ai site with a “Connect Wallet” button designed to steal crypto funds. 

• Security researchers noted obfuscated JavaScript and a “nuke” function that exfiltrates wallet data while erasing browser traces. 

Security researchers at OX Security have uncovered a targeted phishing campaign aimed at developers of OpenClaw, a widely used open-source AI agent platform. Attackers created fake GitHub accounts impersonating legitimate contributors and tagged real developers in repositories, offering a purported $5,000 CLAW token airdrop as a lure.

Developers receiving these notifications were directed to a near-identical copy of the OpenClaw website. The clone included a “Connect Wallet” prompt, which triggered obfuscated JavaScript that captured wallet addresses, transaction history, and other sensitive data before sending it to attacker-controlled servers. A so-called “nuke” function then cleared browser traces to avoid detection.

While OX Security confirmed the operation targeted multiple repositories, only one wallet was identified as receiving the attack instructions, and no confirmed losses have been reported. The campaign leverages OpenClaw’s widespread popularity: millions of downloads and a large developer community. It mirrors other recent phishing operations in the AI ecosystem, where fake installers surfaced in search results to trick users. 

Researchers are advising developers to verify GitHub tags, avoid unsolicited wallet connections, and report suspicious activity immediately. The OpenClaw team has not yet issued a public statement on the phishing campaign.