{"id":63869,"date":"2026-03-19T13:19:33","date_gmt":"2026-03-19T06:19:33","guid":{"rendered":"https:\/\/hbbgroup.net\/openclaw-developers-lured-in-github-phishing-campaign-targeting-crypto-wallets\/"},"modified":"2026-03-19T13:19:33","modified_gmt":"2026-03-19T06:19:33","slug":"openclaw-developers-lured-in-github-phishing-campaign-targeting-crypto-wallets","status":"publish","type":"post","link":"https:\/\/hbbgroup.net\/zh\/openclaw-developers-lured-in-github-phishing-campaign-targeting-crypto-wallets\/","title":{"rendered":"OpenClaw Developers Lured in GitHub Phishing Campaign Targeting Crypto Wallets"},"content":{"rendered":"<div>\n<div>\n<h4 color=\"#333\">In brief<\/h4>\n<ul>\n<li>Attackers used fake GitHub accounts to tag developers, claiming they had won $5,000 in $CLAW tokens and directing them to a cloned OpenClaw site.<\/li>\n<li>OX Security said the phishing page used heavily obfuscated JavaScript and a separate C2 server to drain connected wallets and hide activity.<\/li>\n<li>The accounts were created last week and deleted within hours of launch, with no confirmed victims so far.<\/li>\n<\/ul>\n<\/div>\n<p><span>OpenClaw\u2019s viral rise has drawn an ugly new side effect: crypto scammers are now using the AI agent project\u2019s name to target developers in a phishing campaign aimed at draining their wallets.\u00a0<\/span><\/p>\n<p><span>Security platform OX Security <\/span><a href=\"https:\/\/www.ox.security\/blog\/openclaw-github-phishing-crypto-wallet-attack\/\" target=\"_blank\" rel=\"nofollow external noopener\"><span>published a report<\/span><\/a><span> on Wednesday detailing an active phishing campaign targeting <\/span><a href=\"https:\/\/decrypt.co\/356730\/openclaw-ai-agents-whats-real\" target=\"_blank\"><span>OpenClaw<\/span><\/a><span> in which threat actors create fake GitHub accounts, open issue threads in attacker-controlled repositories, and tag dozens of developers.\u00a0<\/span><\/p>\n<p>The scammer posts GitHub issues telling developers, \u201cAppreciate your contributions on GitHub. We analyzed profiles and chose developers to get OpenClaw allocation,\u201d and claims they have won $5,000 worth of $CLAW tokens, directing them to a fake website that closely resembles openclaw.ai. The site includes an added \u201cConnect your wallet\u201d button designed to trigger wallet theft.<\/p>\n<p>OX Security research team lead and a co-author of the report, Moshe Siman Tov Bustan, told <i>Decrypt<\/i> they uncovered evidence the scam attempt bears resemblance to a campaign that &#8220;spread on GitHub, relating to Solana.&#8221;<\/p>\n<p>&#8220;[We&#8217;re still] analyzing the behavior and the relation of these campaigns,&#8221; Bustan added.<\/p>\n<p><span>The phishing campaign surfaced weeks after OpenAI CEO Sam Altman announced OpenClaw creator Peter Steinberger would <\/span><a href=\"https:\/\/decrypt.co\/358141\/openai-openclaw-founder-lead-push-personal-ai-agents\" target=\"_blank\"><span>lead its push into personal AI agents<\/span><\/a><span>, with OpenClaw transitioning to a foundation-run open-source project.\u00a0<\/span><\/p>\n<p><span>That mainstream profile and the framework&#8217;s association with one of the most prominent names in AI make its developer community an increasingly attractive target.<\/span><\/p>\n<p><span>OX Security said it had previously assessed the attackers may be using GitHub&#8217;s star feature to identify users who have starred OpenClaw-related repositories, making the lure appear more targeted and credible.<\/span><\/p>\n<p><span>The platform\u2019s analysis found the wallet-stealing code buried inside a heavily obfuscated JavaScript file called &#8220;eleven.js.&#8221;<\/span><\/p>\n<p>&#8220;According to who that was targeted and the user&#8217;s reports on GitHub,&#8221; the campaign targeted only users who &#8220;starred the OpenClaw GitHub repository,&#8221; Bustan said. &#8220;During our analysis, we found only one address belonging to the threat actor, which hadn&#8217;t sent or received any funds yet.&#8221;<\/p>\n<p><span>After deobfuscating the malware, researchers identified a built-in &#8220;nuke&#8221; function that wipes all wallet-stealing data from the browser&#8217;s local storage to frustrate forensic analysis.\u00a0<\/span><\/p>\n<p><span>The malware tracks user actions via commands such as PromptTx, Approved, and Declined, relaying encoded data, including wallet addresses, transaction values, and names, back to a C2 server.<\/span><\/p>\n<p><span>Researchers identified one crypto wallet address they believe belongs to the threat actor, 0x6981E9EA7023a8407E4B08ad97f186A5CBDaFCf5, used to receive stolen funds.\u00a0<\/span><\/p>\n<p><span>The accounts were created last week and deleted within hours of launch, with no confirmed victims so far, according to OX Security.<\/span><\/p>\n<p><i><span>Decrypt<\/span><\/i><span> has reached out to Peter Steinberger for comment.<\/span><\/p>\n<h2 color=\"#333\"><b>OpenClaw&#8217;s crypto magnet problem<\/b><\/h2>\n<p><span>OpenClaw, a self-hosted AI agent framework that lets users run persistent bots connected to messaging apps, email, calendars, and shell commands, <\/span><a href=\"https:\/\/github.com\/openclaw\/openclaw\" target=\"_blank\"><span>hit 323,000 GitHub stars<\/span><\/a><span> following its acquisition by OpenAI last month.\u00a0<\/span><\/p>\n<p><span>That visibility quickly attracted bad actors, with OpenClaw creator Peter Steinberger saying crypto spam flooded OpenClaw\u2019s Discord almost \u201cevery half hour,\u201d forcing bans and <\/span><a href=\"https:\/\/decrypt.co\/358856\/openclaw-creator-bans-bitcoin-crypto-chatter-openai\" target=\"_blank\"><span>ultimately a blanket prohibition<\/span><\/a><span> after what he described to <\/span><i><span>Decrypt<\/span><\/i><span> as \u201cnonstop coin promotion.\u201d<\/span><\/p>\n<p><span>Unlike chat-based AI tools, OpenClaw agents persist, wake on a schedule, store memory locally, and execute multi-step tasks autonomously.<\/span><\/p>\n<p><span>OX Security recommends blocking token-claw[.]xyz and watery-compost[.]today across all environments, avoiding connecting crypto wallets to newly surfaced or unverified sites, and treating any GitHub issue promoting token giveaways or airdrops as suspicious, particularly from unknown accounts.\u00a0<\/span><\/p>\n<p><span>Users who recently connected a wallet should revoke approvals immediately, the platform warned.\u00a0<\/span><\/p>\n<p><i>Editor&#8217;s note: Adds comment from OX Security&#8217;s Bustan<\/i><\/p>\n<div>\n<h3>Daily Debrief Newsletter<\/h3>\n<p>Start every day with the top news stories right now, plus original features, a podcast, videos and more.<\/p>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>In brief Attackers used fake GitHub accounts to tag developers, claiming they had won $5,000 in $CLAW tokens and directing [&hellip;]<\/p>","protected":false},"author":5,"featured_media":63870,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[220],"tags":[],"class_list":["post-63869","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-tien-dien-tu"],"acf":[],"_links":{"self":[{"href":"https:\/\/hbbgroup.net\/zh\/wp-json\/wp\/v2\/posts\/63869","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/hbbgroup.net\/zh\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/hbbgroup.net\/zh\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/hbbgroup.net\/zh\/wp-json\/wp\/v2\/users\/5"}],"replies":[{"embeddable":true,"href":"https:\/\/hbbgroup.net\/zh\/wp-json\/wp\/v2\/comments?post=63869"}],"version-history":[{"count":0,"href":"https:\/\/hbbgroup.net\/zh\/wp-json\/wp\/v2\/posts\/63869\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/hbbgroup.net\/zh\/wp-json\/wp\/v2\/media\/63870"}],"wp:attachment":[{"href":"https:\/\/hbbgroup.net\/zh\/wp-json\/wp\/v2\/media?parent=63869"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/hbbgroup.net\/zh\/wp-json\/wp\/v2\/categories?post=63869"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/hbbgroup.net\/zh\/wp-json\/wp\/v2\/tags?post=63869"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}