New GitHub Phishing Scheme Targets OpenClaw Developers

Crypto scammers are increasingly focusing on developers, using the rising prominence of OpenClaw to execute a new phishing campaign via GitHub. This sophisticated approach aims to siphon funds from unwitting administrators by misleading them into believing they are part of a legitimate crypto allocation.

Summary

Fake Accounts on GitHub: Attackers are impersonating OpenClaw by creating fraudulent accounts, tagging developers with enticing offers of $5,000 worth of $CLAW tokens.
Cloned Websites: Victims are led to a combatant website that mimics the official OpenClaw site. Here, they encounter a malicious wallet connection prompt designed to drain their wallets.
Targeted Tactics: According to OX Security, this phishing campaign utilizes obscured code and specialized methods; however, no confirmed victims have yet been reported.

Phishing Campaign Details

A recent report from OX Security revealed that attackers are executing their scheme by fabricating GitHub accounts, opening issues on manipulated repositories, and tagging numerous developers in deceptive posts.

Developers received messages presenting them with an enticing opportunity for a supposed OpenClaw allocation, claiming they had won $5,000 in $CLAW tokens, which directs them to a counterfeit website resembling openclaw.ai.

Upon navigating to this site, users face a prompt encouraging them to "connect your wallet." This critical step is where the malicious aspect comes into play, ultimately leading to wallet depletion.

The Context of OpenClaw’s Popularity

This phishing scheme has emerged as OpenClaw garners more attention, especially following the announcement from OpenAI CEO Sam Altman appointing Peter Steinberger, the creator of OpenClaw, to spearhead its advancement into personal AI agents. Since then, OpenClaw has evolved into a foundation-led open-source initiative.

Researchers from OX Security suggest that attackers may exploit GitHub’s star feature to identify those who have shown interest in OpenClaw repositories, lending their deceitful approaches an air of authenticity.

Technical Insights

The attackers have employed a file named “eleven.js,” embedding code within obfuscated JavaScript to facilitate wallet theft. When activated, the scammers utilize a "nuke" feature designed to erase traces from the browser’s local storage, thus evading detection and allowing continuous tracking of user activity.

They accomplish this by monitoring user interactions using commands like PromptTx, Approved, and Declined. Encoded data—such as wallet addresses and transaction amounts—is then transmitted to a command-and-control server.

Researchers have uncovered at least one wallet address linked to the attackers, serving as a conduit for stolen funds; however, there have been no confirmed cases of individuals falling victim to this malicious campaign so far.

Safety Recommendations

OX Security has cautioned users to block domains such as token-claw[.]xyz and watery-compost[.]today, advising against connecting crypto wallets to newly found or unverified websites.

OpenClaw’s Response to Security Breaches

In response to these troubling developments, OpenClaw’s creator, Peter Steinberger, has enacted a rigorous anti-crypto policy across their Discord server. Any discussions involving cryptocurrencies risk expulsion from the community.

This policy revisits a previous scam that arose during the project’s rebranding phase, wherein attackers promoted a Solana-based token named $CLAWD. This fraudulent token ballooned to an approximate market cap of $16 million before plummeting over 90% when Steinberger publicly disavowed any connection.

By remaining vigilant and informed, developers can safeguard their assets against schemes like this, which prey on the naïveté of the crypto community.