Crypto: OpenClaw developers targeted by fearsome scam on GitHub

The campaign is simple to understand and disturbing in its mechanics. Developers linked to OpenClaw were targeted on GitHub with the promise of $5,000 in $CLAW tokens, before being redirected to a fake site designed to get their crypto wallets connected and then emptied. OX Security documented the operation, and the OpenClaw project itself eventually publicly reported the scam.

A promise designed to trigger a bad reflex

The attackers did not randomly set a trap. They created fake GitHub accounts, opened discussions in repositories they controlled, and mentioned dozens of developers that they had been “selected” to receive an allocation of tokens. The message flattered the ego, imitated the language of the project and pushed towards an external link.

The fake site almost resembled openclaw.ai. The real difference was not obvious at first glance. It was in an additional button, “Connect your wallet”, designed not to check an airdrop, but to initiate a theft. In the crypto universe, this small gesture remains one of the riskiest. Especially when it is provoked by urgency or easy reward.

What makes the matter more serious is the technical layer behind the window. OX Security explains that the malicious code was heavily obfuscated in a JavaScript file and that a separate command server was used to retrieve data and then drive the drainage of the connected wallet. We are therefore not facing clumsy spam, but an operation prepared to last a few hours and disappear quickly.

Why OpenClaw became an ideal target

OpenClaw is not an obscure name. The project has seen a meteoric rise in recent months, to the point of attracting attention well beyond the usual circle of open source developers. Reuters reported in February that it had already surpassed 100,000 stars on GitHub and attracted 2 million visitors in a week, while Peter Steinberger joined OpenAI and the project moved under an open source foundation.

This kind of climb changes everything. When a project goes viral, its community also becomes a target base. OX researchers also believe that the attackers probably used the “star” function of GitHub to identify profiles already familiar with OpenClaw. The trap then seems credible, almost personalized, and therefore much more dangerous than a generic message.

There is a broader lesson here for crypto. The modern scammer is no longer just looking for the new user on Telegram or Discord. It now moves up the chain to developers, where technical trust is strong, clicks are fast, and curiosity about a token linked to a popular project can be enough to let one's guard down. OpenClaw served as the perfect bait because it combined AI hype, GitHub visibility, and speculative imagination.

The real signal for crypto is not limited to OpenClaw

At this point, OX Security says it has not found any confirmed victims. The malicious accounts were allegedly created last week and then deleted within hours of the campaign's launch. In other words, the visible results remain limited. But the important fact is not only the number of victims. It's the quality of the scenario, its speed and its ability to blend into the normal uses of GitHub.

The most revealing detail is perhaps elsewhere. The malware followed the user's actions with dedicated commands, transmitted encoded data to its C2 server and even integrated a so-called “nuke” function to locally erase traces of the theft. This desire to erase the aftermath shows that crypto phishing is entering a more professional phase, less noisy, and therefore more difficult to spot quickly.

For the crypto market, this story serves as a stark reminder: the next wave of scams won't necessarily come from a fake influencer or a questionable memecoin. It can come from a familiar environment, a GitHub repository, a plausible reward, and a mundane click. When the promise looks like a technical opportunity, the trap becomes more elegant. And this is often where it becomes more effective.