TLDR
- Attackers used GitHub issues to tag developers with fake token rewards
- Malicious site cloned OpenClaw and added wallet connection prompt
- Campaign may target users who starred OpenClaw repositories
- Obfuscated script tracked wallet activity and sent data to servers
A GitHub phishing scam is targeting developers by misusing OpenClaw branding and fake token offers. Attackers are creating issue threads and tagging users to spread malicious links. The campaign directs victims to cloned websites that request wallet connections. Security researchers warn that the operation aims to gain access to crypto wallets and extract funds.
Phishing Campaign Spreads Through GitHub Activity
Security researchers reported a phishing campaign targeting developers through GitHub repositories. The attackers created fake accounts and opened issue threads in controlled repositories. They tagged multiple users to increase visibility and reach across the platform.
The message used in these issues claimed that selected developers were eligible for token rewards. It stated, “Appreciate your contributions on GitHub. We analyzed profiles and chose developers to get OpenClaw allocation.” The message aimed to build trust and prompt user action. The campaign also used shortened links such as linkshare[.]google URLs. These links redirected users to malicious domains like token-claw[.]xyz.
The site appeared similar to the official OpenClaw platform, which increased the chance of user interaction. Researchers believe attackers may have used GitHub’s star feature to identify targets. Users who starred in OpenClaw repositories may have been selected. This approach made the outreach appear more relevant and convincing.
Fake Website Designed to Capture Wallet Access
The phishing site closely resembled the official OpenClaw website in layout and design. However, it included a “Connect your wallet” button not present on the legitimate platform. This feature was designed to gain access to users’ crypto wallets.
Once users interacted with the prompt, malicious scripts were triggered in the background. Researchers identified a file named “eleven.js” containing obfuscated code. The code executed wallet-related actions without clear user awareness. The malware tracked user actions using commands such as PromptTx, Approved, and Declined.
It then sent encoded data, including wallet addresses and transaction values, to a remote server. This allowed attackers to monitor and control transactions. Researchers also found a function described as “nuke” within the script. This feature cleared traces from the browser’s local storage. It was used to reduce evidence and complicate further investigation.
OpenClaw Popularity Attracts Scam Campaigns
The campaign appeared as OpenClaw gained strong attention among developers and businesses. Its GitHub repository has reached more than 324,000 stars. This growth has increased its visibility across the developer community. OpenClaw creator Peter Steinberger warned users about such scams.
He stated, “Folks, if you get crypto emails from websites claiming to be associated with OpenClaw, it’s ALWAYS a scam.” He added that the project does not run token promotions. The project follows a strict stance against cryptocurrency-related promotions. Reports indicate that crypto-related messages are restricted in its official channels. This measure was taken after earlier incidents involving fake tokens.
Security researchers said the full scale of the campaign remains unclear. At least one wallet address linked to the attackers has been identified. However, no confirmed victims have been reported so far. Experts advised users to avoid connecting wallets to unknown sites. They also recommended blocking domains linked to the campaign. GitHub users are urged to treat token offers in issue threads as suspicious.
Get 3 Free Stock Ebooks
Discover top-performing stocks in AI, Crypto, and Technology with expert analysis.
- Top 10 AI Stocks - Leading AI companies
- Top 10 Crypto Stocks - Blockchain leaders
- Top 10 Tech Stocks - Tech giants
