OpenClaw GitHub phishing scam uses fake $5,000 token airdrops gain wallet access

OpenClaw developers on GitHub, a platform for collaboration and version control, are being targeted in a phishing campaign using fake token giveaways to lure victims into connecting crypto wallets that can then be drained.

The attackers created bogus GitHub accounts and tagged developers in issue threads, claiming they had been selected to receive roughly $5,000 worth of CLAW tokens, Tel Aviv-based cybersecurity company OX Security said in a blog post on Wednesday.

The attackers’ posts link to a near-identical clone of the OpenClaw website, but with a key addition: a prompt to connect a crypto wallet. Once a wallet is connected, malicious code can trigger transactions or approvals that allow attackers to siphon funds. The phishing page supports major wallets including MetaMask, WalletConnect and Trust Wallet, widening the potential impact, OX said.

The campaign highlights an increasingly common attack vector in crypto: social engineering paired with wallet connection requests, often disguised as airdrops or developer rewards. By targeting GitHub users who interacted with OpenClaw-related repositories, the attackers made the outreach appear more credible.

OpenClaw is an open-source AI agent framework and developer tool that has recently attracted attention, and controversy, over crypto-related scams exploiting its name.

Peter Steinberger, the founder of OpenClaw, said last month he was about to delete the entire codebase because of crypto. “I didn’t know that they’re not just good at harassment, they are also really good at using scripts and tools.”

His statement followed a blanket ban he imposed on any mention of crypto, including bitcoin BTC$70,260.37, in the project’s Discord after scammers in January hijacked OpenClaw’s old accounts. The hackers promoted a fake CLAWD token that briefly hit a $16 million market cap before collapsing after Steinberger When Steinberger publicly denied any involvement.