Phishing Frens Try to CLAW Their Way Into Dev Wallets With AI Hype Hook

Cybersecurity sleuths at OX Security have uncovered a classic case of "ape now, think later" gone wrong, as grifters exploit OpenClaw's hype with a phishing scheme aimed squarely at developers' precious crypto wallets.

The playbook was simple yet devious: the threat actor spawned fake GitHub accounts and opened issue threads in their own shady repos, tagging dozens of devs with the irresistible promise of being "selected" for a $5,000 airdrop of "CLAW" tokens—because nothing says legitimacy like unsolicited free money from a stranger on the internet.

The bait led to a malicious site that was a pixel-perfect clone of OpenClaw's real homepage, with one crucial, wallet-draining upgrade: a shiny "Connect your wallet" button. It's the digital equivalent of a Trojan horse, but instead of Greek soldiers, it's packed with scripts ready to empty your MetaMask.

This scam spread through the classic vectors of GitHub repos and email blasts, cleverly disguised as legit tools or extensions for the OpenClaw ecosystem. It seems the "trust, but verify" mantra was temporarily replaced by "see token, click link."

The timing is no coincidence, as this phishing frenzy rides the wave of OpenClaw's meteoric rise. Its GitHub page now boasts over 324,000 stars, putting it in the top ten repositories globally—a level of fame that apparently comes with its own fan club of malicious admirers.

The project's visibility got a massive boost last month when its creator, Peter Steinberger, joined OpenAI. Despite the high-profile connection, the project remains a non-commercial, open-source initiative run by an independent foundation, not a secret token launchpad.

Steinberger himself has taken to X to sound the alarm, stating plainly that any crypto-themed outreach using OpenClaw's name is a scam. "Folks, if you get crypto emails from websites claiming to be associated with OpenClaw, it's ALWAYS a scam," he wrote, emphasizing the project would never run such a promotion—mainly because they're busy building, not rug-pulling.

OX Security's advice is straightforward: block the malicious domains token-claw[.]xyz and watery-compost[.]today (a name that perfectly describes the quality of this scam), and treat any GitHub issue shilling a token giveaway with the same suspicion you'd afford a "Nigerian prince" in a Discord DM.