A phishing campaign targeting Openclaw developers is spreading through Github, attempting to trick users into connecting crypto wallets and exposing funds to theft.
Crypto Developers Warned of Github-Based Phishing Attack
Cybersecurity firm OX Security reported this week that it identified the campaign, which impersonates the Openclaw ecosystem and uses fake Github accounts to reach developers directly.
Attackers post issue threads in repositories and tag users, claiming they have been selected to receive $5,000 worth of so-called CLAW tokens. The messages direct recipients to a fraudulent website designed to closely mimic openclaw.ai. The key difference is a wallet connection prompt that initiates malicious activity once approved.
According to OX Security researchers Moshe Siman Tov Bustan and Nir Zadok, connecting a wallet to the site can result in funds being drained. The campaign relies on social engineering tactics that make the offer appear tailored. Researchers believe attackers may be targeting users who previously interacted with Openclaw-related repositories, increasing the likelihood of engagement.
Technical analysis shows the phishing infrastructure includes a redirect chain leading to the domain token-claw[.]xyz, as well as a command-and-control server hosted at watery-compost[.]today. Malicious code embedded in a JavaScript file collects wallet data, including addresses and transaction details, and transmits it to the attacker.
OX Security also identified a wallet address linked to the threat actor that may be used to receive stolen funds. The code includes functions designed to track user behavior and erase traces from local storage, complicating detection and forensic analysis.
While no confirmed victims have been reported, researchers warn the campaign is active and evolving. Users are advised to avoid connecting crypto wallets to unfamiliar websites and to treat unsolicited token offers on Github as suspicious.
Additionally, the Cybersecurity company Certik published a report the same day specifically discussing the exploits surrounding “skill scanning.” The firm evaluated a proof-of-concept skill that contained a flaw, and the exploited component was able to bypass the Openclaw system’s sandbox.
These security developments arrive as Openclaw gains massive traction among the masses and crypto developers alike, actively building on the platform.
FAQ 🔎
- What is the Openclaw phishing attack?
A scam targeting developers with fake token offers that trick users into connecting crypto wallets.
- How does the attack work?
Users are directed to a cloned website where connecting a wallet enables theft mechanisms.
Primarily developers interacting with Openclaw-related Github repositories.
Avoid connecting wallets to unknown sites and ignore unsolicited token giveaways.
Disclaimer: The information on this page may come from third parties and does not represent the views or opinions of Gate. The content displayed on this page is for reference only and does not constitute any financial, investment, or legal advice. Gate does not guarantee the accuracy or completeness of the information and shall not be liable for any losses arising from the use of this information. Virtual asset investments carry high risks and are subject to significant price volatility. You may lose all of your invested principal. Please fully understand the relevant risks and make prudent decisions based on your own financial situation and risk tolerance. For details, please refer to
Disclaimer.
Related Articles
Android Malware Families Target 800+ Banking, Crypto Apps With Near-Zero Detection Rates: Zimperium
Gate News message, April 25 — Cybersecurity firm Zimperium has identified four active malware families—RecruitRat, SaferRat, Astrinox and Massiv—targeting over 800 applications across banking, cryptocurrency and social media sectors. The campaigns employ advanced anti-analysis techniques and
GateNews29m ago
TRADOOR Token Crashes 90% in 30 Minutes Amid Suspected Price Manipulation and Wash Trading
Gate News message, April 25 — TRADOOR token experienced a sharp 90% price crash over 30 minutes at 2:00 AM today, according to on-chain analyst Specter. The token had surged as much as 900% since March 2026 before the sudden collapse, raising suspicions of price manipulation and coordinated
GateNews2h ago
Lending Protocol Purrlend Suffers Attack, Loses $1.52 Million Across MegaETH and HyperEVM
Gate News message, April 25 — Lending protocol Purrlend fell victim to attacks on both the MegaETH and HyperEVM networks today, resulting in losses of approximately $1.52 million.
Attackers extracted roughly $1.2 million in assets from the HyperEVM network, including 449,683 USDC, 214,125
GateNews2h ago
Ben Pasternak Arrested for Assault at NYC Hotel Amid $54M Crypto Fraud Lawsuit Over Believe Token
Gate News message, April 25 — Ben Pasternak, the 26-year-old Australian entrepreneur behind the Solana-based SocialFi platform Believe, was arrested on April 22 and charged with second-degree strangulation and two counts of third-degree assault following an alleged physical altercation with his ex-g
GateNews3h ago
Independent Researcher Cracks 15-Bit ECC Key, Wins Bitcoin Reward from Project Eleven
Gate News message, April 25 — Independent researcher Giancarlo Lelli successfully cracked a 15-bit ECC encryption key protecting Bitcoin and received the Q-Day Award plus 1 BTC from quantum security startup Project Eleven.
Lelli used publicly available quantum hardware and a variant of Shor's
GateNews5h ago
22-Year-Old California Crypto Launderer Sentenced to 70 Months for $263M Fraud Scheme
Gate News message, April 25 — Evan Tangeman, 22, from Newport Beach, California, was sentenced to 70 months in prison on April 24 for his role in laundering $263 million obtained through a massive cryptocurrency fraud scheme. The U.S. District Court in Washington, D.C., imposed the sentence
GateNews6h ago
