CLAWing for Trouble: GitHub Grifters Use AI Hype to Phish for Dev's Private Keys

The meteoric, code-starred ascent of OpenClaw has spawned a predictable new parasite: crypto scammers are now leveraging the AI agent project's fame to phish developers in a campaign with one simple goal—draining wallets faster than a memecoin rug pull.

Security sleuths at OX Security just dropped a report detailing the active grift. The playbook? Threat actors spin up fake GitHub accounts, open issue threads in repositories they control, and then tag a small army of developers, hoping one bites.

The bait is a classic: a message claiming the recipient has bagged $5,000 worth of $CLAW tokens. It points to a site that's a near-perfect clone of openclaw.ai, save for one crucial, wallet-emptying addition: a 'Connect your wallet' button that might as well say 'Drain Me.'

This phishing fiesta kicked off just weeks after OpenAI CEO Sam Altman announced that OpenClaw creator Peter Steinberger would helm its personal AI agent charge, with OpenClaw itself going open-source under a foundation. Talk about bad timing.

That sudden burst of mainstream clout, plus the framework's shiny new association with the biggest name in AI, has effectively painted a target on the back of its developer community. They're not just building the future; they're now prime hunting grounds for it.

The fake GitHub issues deploy flattery as a weapon, telling devs, 'Appreciate your contributions on GitHub. We analyzed profiles and chose developers to get OpenClaw allocation.' It then shunts marks to a counterfeit site that supports all the major crypto wallets, because even scammers need multi-chain compatibility.

OX Security's assessment suggests the attackers are probably using GitHub's star feature to pinpoint users who've starred OpenClaw repos. It's a targeting method that adds a veneer of credibility, making the lure feel less like a broadcast blast and more like a 'you've been personally selected' trap.

The platform's deep dive found the wallet-lifting code hidden inside a heavily obfuscated JavaScript file named 'eleven.js.' After untangling the malware, researchers spotted a built-in 'nuke' function—a digital bleach that wipes all theft-related data from the browser's local storage to cover the scammers' tracks post-heist.

This malware is a nosy little script, tracking user actions via commands like PromptTx, Approved, and Declined. It then relays encoded data—wallet addresses, transaction values, names—back to a command-and-control server, presumably for the thieves to admire their haul.

Researchers managed to pin down one crypto wallet address they believe belongs to the threat actor: 0x6981E9EA7023a8407E4B08ad97f186A5CBDaFCf5. Consider it the digital equivalent of a getaway car's license plate, used to receive the stolen funds.

The scam accounts were created last week and yeeted into the void within hours of launch. According to OX Security, there are no confirmed victims yet, so the grifters' ROI currently stands at a big, fat zero.

OpenClaw, the self-hosted AI agent framework that lets users run persistent bots hooked into everything from messaging apps to shell commands, rocketed to 323,000 GitHub stars after its OpenAI acquisition last month. Fame has its costs.

That visibility acted like a beacon for degenerates. OpenClaw creator Peter Steinberger noted that crypto spam flooded the project's Discord almost 'every half hour,' leading to bans and finally a blanket prohibition after what he called 'nonstop coin promotion.' The Web3 shill is relentless.

Unlike your typical chat-based AI tool, OpenClaw agents are persistent, wake on a schedule, store memory locally, and execute multi-step tasks autonomously. They're the reliable employees every degen wishes they had, ironically now being used to target their creators.

OX Security's prescription is straightforward: block the domains token-claw[.]xyz and watery-compost[.]today everywhere, avoid connecting wallets to any newly surfaced or unverified site, and treat GitHub issues promoting token giveaways—especially from randos—with the skepticism you'd apply to a 'trust me bro' trading signal.

The final warning is