- Attackers target OpenClaw developers via GitHub issues and phishing emails.
- Malicious site clones the official interface and triggers wallet connection to execute fund draining.
- Obfuscated malware tracks wallet data and sends it to a remote server before executing the drain.
A new phishing campaign is targeting developers linked to the OpenClaw project, using fake token airdrops to trick users into connecting crypto wallets. The attack spreads through GitHub and cloned websites, with the goal of draining funds once access is granted.
Security firm OX Security identified the campaign, noting that attackers are actively impersonating the OpenClaw ecosystem to reach developers directly.
GitHub Used As Primary Attack Vector
The attackers are not relying on random spam but are targeting developers where they are most active. Fake GitHub accounts are created, and issue threads are opened in attacker-controlled repositories.
Dozens of developers are tagged in each post to maximize reach. The message is simple: recipients have been selected to receive $5,000 worth of CLAW tokens.
The targeting appears deliberate as attackers may be scraping users who interacted with OpenClaw-related repositories, making the messages look relevant and credible.
At the same time, phishing emails are being sent through GitHub notification systems. These emails mirror the same pitch and use names like “ClawFunding” and “ClawReward” to appear legitimate.
Fake Site Clones OpenClaw Interface
The attackers redirected users through links, including Google link shorteners, to a phishing domain that closely mimics the official OpenClaw site. The interface looks identical, except for one key addition: a wallet connection prompt. Once the wallet is connected, the attack begins.
The phishing page supports multiple wallets, including MetaMask, Trust Wallet, OKX Wallet, Bybit Wallet, and WalletConnect, increasing the chances of user interaction.
The core of the attack sits inside an obfuscated JavaScript file. This code handles wallet interaction, tracks user actions, and sends data to a remote server.
Captured data includes wallet addresses, transaction values, and user identifiers. The system uses command signals such as transaction prompts and approval tracking to monitor behavior in real time.
A command-and-control server is used to receive the data and execute the drain. A dedicated wallet address has been identified as the main destination for stolen funds.
The malware also includes a cleanup function that removes traces from the browser after execution, making detection and forensic analysis harder.
At this stage, there are no confirmed reports of funds lost. However, the structure of the attack is fully operational.
The campaign was launched using newly created GitHub accounts, which were deleted shortly after activity began. This suggests a short lifecycle strategy designed to avoid detection.
Related: Solana and Base Compete as AI Agents Go Fully Onchain With OpenClaw
Disclaimer: The information presented in this article is for informational and educational purposes only. The article does not constitute financial advice or advice of any kind. Coin Edition is not responsible for any losses incurred as a result of the utilization of content, products, or services mentioned. Readers are advised to exercise caution before taking any action related to the company.
Source: https://coinedition.com/openclaw-developers-targeted-in-crypto-wallet-phishing-attack/
