The mechanics of this scam are concerning yet easy to understand. Developers associated with OpenClaw were promised $5,000 in $CLAW tokens on GitHub, only to be directed to a fake website designed to steal their crypto wallets. OX Security documented this operation, and the OpenClaw project eventually publicly reported the scam.
Targeted Design Against Developers
The attackers did not set a trap randomly. They created fake GitHub accounts, initiated discussions in repositories they controlled, and mentioned dozens of developers, claiming they were "selected" for token distribution. This message appealed to the developers' egos, mimicked the project's terminology, and led them to click on external links.
Why OpenClaw Became an Ideal Target
OpenClaw is not an obscure project. In recent years, it has experienced rapid growth, attracting attention beyond the traditional open-source developer circle. According to Reuters, the project surpassed 100,000 stars on GitHub in February and attracted 2 million visitors in a week, while Peter Steinberger also joined OpenAI, and the project is migrating to an open-source foundation.
This rapid growth changed everything. When a project becomes popular, its community also becomes a potential target for attacks. OX researchers estimate that the attackers may have exploited GitHub's "star" feature to identify users already familiar with OpenClaw. This made the trap appear more credible and almost personalized, making it more dangerous than ordinary phishing attempts.
Wider Lessons for the Crypto Industry
OX Security stated that no confirmed victims have been identified so far. These malicious accounts were deleted just hours after the activity began. In other words, the apparent losses remain limited. However, it is important to note that this is not just about the number of victims, but the quality of the context, the speed, and how it blends with normal GitHub usage.
Perhaps the more concerning detail is that the malware can track user behavior through specialized commands, transmit encoded data to its C2 servers, and even include a so-called "nuke" function to locally erase traces of the theft. This desire to eliminate consequences indicates that crypto phishing attacks are entering a more sophisticated and covert phase, making real-time detection increasingly difficult.