OpenClaw Creator Sounds Alarm: 'Zero Tokens, All Phish' as GitHub Inboxes Get Spammed

On March 19, Peter Steinberger, the brains behind OpenClaw, took to X to issue a community-wide PSA: any crypto-related email pretending to be from the project is a straight-up scam. He reiterated that OpenClaw is "open source and non-commercial," pointing to the official website as the only source of truth—because in crypto, if you're not verifying, you're probably getting rekt.

Developers have been bombarded with fake $CLAW airdrop offers dangling a juicy $5,000 in pretend tokens. These phishing emails, dressed up as GitHub notifications, use shortened Google links to siphon wallet details and even feature a "Selected Contributors" list for that extra sprinkle of false exclusivity. Spanish-language versions suggest the grift is going global, while security researcher Aoke Quant suspects the attackers just scraped GitHub contributor data and fired off a mass spam blast—a classic spray-and-pray strategy.

This phishing wave is just the latest chapter in a months-long saga of targeted harassment. Ever since the project blew up as Clawdbot in late January, scammers have made it their personal playground—spawning an unauthorized Solana memecoin that did a 96% nosedive in 24 hours, flooding the Discord with unsolicited degen chatter, and turning Steinberger's X feed into a graveyard of token-hash spam. It's the kind of attention no founder wants.

A trademark dispute even forced a rebrand to Moltbot, but the scammers were waiting in the wings like digital vultures. Within five literal seconds of the switch, they hijacked the original GitHub account, pushed malware, and stole the username to distribute malicious code. Steinberger dubbed it "the worst form of online harassment" he's ever faced—which, in the crypto world, is really saying something.

Not even Steinberger's move to OpenAI's personal-AI agents division in February 2026 has scared off these persistent bad actors. Security firm SlowMist had previously warned that some Clawdbot instances were leaking API keys and private chat logs, and researcher Jamieson O’Reilly found unauthenticated deployments spilling hundreds of credentials—all prime fodder for crafting convincingly personalized phishing lures. The supply chain for scams remains robust.

Through it all, Steinberger's core message hasn't wavered: there will never, ever be a $CLAW coin, and anyone claiming otherwise is peddling fraud. The directive is simple: stick to the official site, maintain a healthy skepticism toward any "commercial wrappers," and for the love of Satoshi, keep your wallets clear of the phishing nets.