Crypto: OpenClaw Developers Targeted by a Formidable Scam on GitHub

The campaign is easy to understand and worrying in its mechanics. Developers linked to OpenClaw were targeted on GitHub with the promise of $5,000 in $CLAW tokens, before being redirected to a fake site designed to make them connect and then drain their crypto wallets. OX Security documented the operation, and the OpenClaw project itself eventually publicly reported the scam.

A promise crafted to trigger a bad reflex

The attackers did not set a trap at random. They created fake GitHub accounts, opened discussions in repositories they controlled, and mentioned dozens of developers explaining they had been “selected” to receive a token allocation. The message flattered the ego, imitated the project’s language, and pushed to an external link.

The fake site almost mimicked the appearance of openclaw.ai. The real difference was not obvious at first glance. It was in an additional button, “Connect your wallet,” designed not to verify an airdrop, but to initiate theft. In the crypto universe, this small gesture remains one of the riskiest. Especially when it is prompted by urgency or easy reward.

What makes the case more serious is the technical layer behind the facade. OX Security explains that the malicious code was heavily obfuscated in a JavaScript file and that a separate command server was used to collect data then control the draining of the connected wallet. So this is not a clumsy spam but an operation prepared to last a few hours and disappear quickly.

Why OpenClaw became an ideal target

OpenClaw is not an obscure name. The project has seen a meteoric rise in recent months, attracting attention well beyond the usual circle of open source developers. Reuters reported in February that it had already surpassed 100,000 stars on GitHub and attracted 2 million visitors in a week, while Peter Steinberger joined OpenAI and the project moved under an open source foundation.

This kind of rise changes everything. When a project goes viral, its community also becomes a base of targets. OX researchers estimate that the attackers probably used GitHub’s “star” feature to identify profiles already familiar with OpenClaw. The trap then appears credible, almost personalized, and therefore much more dangerous than a generic message.

There is a broader lesson here for crypto. The modern scammer no longer only targets beginners on Telegram or Discord. They now go up the chain to developers, where technical trust is strong, clicks are fast, and curiosity about a token linked to a trendy project can be enough to lower guard. OpenClaw served as perfect bait because it combined AI hype, GitHub visibility, and speculative imagination.

The real signal for crypto is not limited to OpenClaw

At this stage, OX Security says it has found no confirmed victims. The malicious accounts were created last week then deleted a few hours after the campaign launch. In other words, the visible toll remains limited. But the important fact is not just the number of victims. It is the quality of the scenario, its speed, and its ability to blend into normal GitHub usage.

The most revealing detail may lie elsewhere. The malware tracked user actions with dedicated commands, transmitted encoded data to its C2 server, and even included a so-called “nuke” function to locally erase traces of the theft. This desire to erase the aftermath shows that crypto phishing is entering a more professional, quieter phase, and therefore more difficult to spot in real time.

For the crypto market, this story reminds us of a brutal fact: the next wave of scams will not necessarily come from a fake influencer or a dubious memecoin. It can come from a familiar environment, a GitHub repository, a plausible reward, and an ordinary click. When the promise looks like a technical opportunity, the trap becomes more elegant. And that is often where it becomes more effective.