GitHub Phishing Scam Mimics OpenClaw to Steal Crypto Wallets

Recently, a sophisticated phishing scam leveraging GitHub’s platform has surfaced, deceiving developers by impersonating the popular open-source project OpenClaw. This scam not only aims to spread malicious code but also to drain victims’ crypto wallets, raising serious concerns about cybersecurity within the developer community. The attack highlights the growing trend of threat actors exploiting trusted branding and online repositories to orchestrate financial thefts in the crypto space.

Understanding the GitHub OpenClaw Phishing Campaign

How the Scam Operates

The scam begins with impersonation. Cybercriminals create counterfeit GitHub accounts that mimic official OpenClaw profiles, often using similar usernames, avatars, and repository titles to appear legitimate. They often tag developers, especially those who have previously interacted with OpenClaw projects or starred related repositories, to increase their chances of engagement.

These malicious accounts post issue threads or direct messages claiming that the recipient has been selected for an exclusive allocation of $CLAW tokens—OpenClaw’s native cryptocurrency. Victims are then directed to a clone of the authentic openclaw.ai website, which looks remarkably similar to the real platform. The site entices users with promises of free tokens or rewards, playing on the keen interest developers have in early airdrops and project incentives.

Deceptive Wallet Connection Prompts

Once on the fake site, victims are presented with a “Connect your wallet” prompt, a common feature in legitimate crypto platforms. However, in this scam, the connection is malicious. The embedded code, often obfuscated to evade detection, attempts to access and transfer funds directly from the user’s crypto wallets once connected. The malicious script, such as a file named “eleven.js,” contains functions designed to extract wallet details and authorize transactions without further user consent.

Technical Tactics and Obfuscation

Attackers employ advanced tactics to conceal their malicious activities. The JavaScript code embedded within the cloned site is heavily obfuscated, making detection by conventional security tools difficult. The script uses functions like “nuke” to erase traces in the browser’s local storage, reducing the chances of post-attack forensic analysis.

The malware also tracks user interactions through specific commands such as PromptTx, Approved, or Declined, encoding and transmitting sensitive data—wallet addresses, transaction amounts, and other identifying details—to command and control (C&C) servers. Such techniques demonstrate a high level of sophistication and targeted planning.

Impact and Potential Risks

Although no confirmed victims have been publicly disclosed at this stage, analysts warn that the threat is real and ongoing. The campaign’s goal is to trick developers into connecting their wallets, which then enables scammers to steal funds en masse. The recourse for victims may include partial or total wallet drain, loss of crypto assets, and potential exposure of private keys.

Notably, a wallet address linked to the attackers has been identified receiving stolen funds, indicating active theft. The use of obfuscation and targeted tactics suggests a well-funded operation designed to minimize detection and maximize financial gain.

Preventive Measures and Recommendations

• Always verify the authenticity of GitHub accounts and repositories before engaging or providing sensitive information.
• Avoid clicking on suspicious links or submitting wallet connection prompts on unverified websites.
• Employ comprehensive security tools capable of detecting obfuscated JavaScript and malicious scripts.
• Be cautious of messages claiming you’ve won tokens or rewards, especially when unsolicited.
• Block malicious domains like token-claw[.]xyz and watery-compost[.]today, which have been associated with the scam.
• Maintain regular updates of your crypto wallets and use hardware wallets for added security.

OpenClaw’s Response and Security Policy

In response to the scam, OpenClaw’s founder Peter Steinberger has enacted a strict anti-crypto policy. The project’s Discord server, for instance, enforces a ban on discussing cryptocurrencies, aiming to prevent further impersonation or scam-related activities. This measure follows a prior incident involving a scam token called $CLAWD, which surged to a market capitalization of approximately $16 million before plummeting over 90% after Steinberger disavowed any involvement.

Conclusion

The use of branding elements like OpenClaw in phishing campaigns underscores the importance of vigilance among developers and crypto enthusiasts. As cybercriminals leverage platforms like GitHub to deceive and exploit, it becomes crucial to adhere to security best practices and verify sources meticulously. Continued awareness and proactive security measures are essential to combat these evolving threats and protect digital assets from sophisticated scams.

FAQ

What are common signs of a phishing scam on GitHub?

• Unsolicited messages claiming you’ve won tokens or rewards.
• Profiles that mimic official accounts but have minor differences.
• Links leading to cloned or suspicious websites that resemble legitimate platforms.
• Requests to connect wallets or share private keys—never do this on untrusted sites.

How can I protect my crypto wallets from such scams?

• Use hardware wallets for storing large amounts of crypto assets.
• Verify website URLs and confirm the authenticity before connecting wallets.
• Enable two-factor authentication where possible.
• Stay updated on known phishing domains and report suspicious activity.

What should I do if I suspect I’ve fallen victim to a wallet drain scam?

• Immediate action involves disconnecting wallet connections and changing private keys if possible.
• Report the incident to platform support and relevant authorities.
• Monitor your accounts for unusual transactions and seek professional cybersecurity assistance if needed.