The burgeoning popularity of OpenClaw, an AI agent project, has unfortunately attracted malicious actors. Security researchers have identified a sophisticated phishing campaign targeting developers by impersonating the project and aiming to steal cryptocurrency from their wallets.
Key Takeaways
- Attackers created fake GitHub accounts to contact OpenClaw developers, offering fabricated $5,000 $CLAW token airdrops.
- The scam directs developers to a cloned OpenClaw website designed to trick them into connecting their crypto wallets.
- Obfuscated JavaScript and a separate command-and-control (C2) server were used to execute wallet draining and conceal the malicious activity, according to OX Security.
- The fake GitHub accounts were short-lived, created and deleted within hours of the campaign’s launch, with no confirmed victims reported thus far.
The phishing campaign surfaces in the wake of OpenClaw’s acquisition by OpenAI, a move that brought significant attention to the project and its creator, Peter Steinberger. This increased profile, combined with Steinberger’s new role leading OpenAI’s personal AI agent initiatives, has made the project’s developer community a prime target for scams.
Security platform OX Security detailed the operation, which involves threat actors creating deceptive GitHub accounts. These accounts open issues in repositories controlled by the attackers and tag numerous developers. The scam messages claim the developers have been selected for an “OpenClaw allocation” and offer $5,000 worth of $CLAW tokens, urging recipients to visit a fake website that closely mimics the legitimate openclaw.ai domain.
A critical component of the scam is a “Connect your wallet” button on the fraudulent site. Once clicked, it initiates a process designed to drain the user’s cryptocurrency. Moshe Siman Tov Bustan, lead of OX Security’s research team, noted similarities between this campaign and previous phishing efforts targeting the Solana ecosystem on GitHub.
The malicious code was found embedded within a heavily obfuscated JavaScript file named “eleven.js.” Researchers discovered a “nuke” function within the malware that actively erases wallet-stealing data from the browser’s local storage, complicating forensic analysis. The malware tracks user interactions through commands like PromptTx, Approved, and Declined, exfiltrating encoded data, including wallet addresses and transaction details, to a C2 server.
One cryptocurrency wallet address, identified as 0x6981E9EA7023a8407E4B08ad97f186A5CBDaFCf5, is believed to belong to the threat actor and was intended for receiving stolen funds. However, OX Security reported that this address had not yet been active in receiving or sending any cryptocurrency.
The attackers reportedly leveraged GitHub’s “star” feature to identify users who had shown interest in OpenClaw-related repositories, adding a layer of perceived credibility to their phishing attempts. The fake GitHub accounts were promptly removed after the campaign’s initiation, minimizing the window for exploitation.
Long-Term Impact of AI-Driven Development on Security Paradigms
The emergence of sophisticated phishing campaigns targeting projects like OpenClaw, which blend AI development with decentralized technologies, underscores a critical inflection point for blockchain and Web3 security. As AI agents become more integrated into development workflows and user interactions, they present both powerful new tools and significant attack vectors. The use of obfuscated code and C2 servers in this incident highlights the evolving tactics of cybercriminals, who are increasingly leveraging advanced techniques to exploit vulnerabilities. This trend suggests a future where security protocols must not only address traditional blockchain exploits but also proactively defend against AI-powered social engineering and malware. Layer 2 solutions, while offering scalability benefits, also introduce new complexities in security monitoring and incident response. A robust security posture in this evolving landscape will necessitate continuous innovation in threat detection, advanced cryptographic methods, and a deep understanding of how AI can be both weaponized and utilized for defense within the Web3 ecosystem.
OpenClaw, known for its persistent AI agents that can autonomously execute multi-step tasks, manage local memory, and integrate with messaging and scheduling tools, gained significant traction after its acquisition by OpenAI. This surge in popularity, indicated by its 323,000 GitHub stars, unfortunately attracted a wave of spam and malicious activity to its Discord server, prompting temporary bans and eventual broader restrictions.
OX Security advises users to block the identified malicious domains (token-claw[.]xyz and watery-compost[.]today), exercise extreme caution when connecting crypto wallets to new or unverified websites, and treat any unsolicited offers for token giveaways or airdrops on platforms like GitHub with suspicion, especially when originating from unknown accounts.
The platform also strongly recommends that users who may have inadvertently connected their wallets revoke all pending approvals immediately to prevent further unauthorized access.
According to the portal: decrypt.co