OpenClaw Hype Triggers Wave of Phishing Attacks Targeting Crypto Wallets
Scammers are exploiting the rising popularity of AI project OpenClaw to run phishing campaigns and steal cryptocurrency from developers via fake GitHub accounts and cloned websites.
Cybercriminals are capitalizing on the surging popularity of AI project OpenClaw to launch phishing campaigns aimed at stealing cryptocurrency. Cybersecurity firm OX Security has disclosed details of the large-scale fraudulent operation.
How the Phishing Scheme Works
According to OX Security, attackers created fake GitHub accounts, initiated discussions in repositories they controlled, and tagged dozens of users. Targets were told they had been selected to receive $5,000 in CLAW tokens.
Victims were redirected to a malicious website where they were prompted to connect their crypto wallet to "claim the reward." The page was a near-perfect replica of OpenClaw's official site — the only notable difference was a wallet connection button engineered to drain funds.
The campaign spread through GitHub repositories and email newsletters. Attackers disguised the phishing links as legitimate tools and extensions for popular software.
Security Recommendations
OX Security analysts urged users to block the domain token-claw[.]xyz and avoid connecting wallets to unverified resources. Any token airdrop announcements posted on GitHub should be treated as suspicious.
The firm also recommended reviewing recent smart contract approval history and revoking any unnecessary permissions.
Why This Matters
The phishing wave coincides with OpenClaw's rapid adoption among developers and small businesses using the platform for task automation. The project's GitHub repository has accumulated over 324,000 stars, placing it ninth in the global ranking.
In February, OpenAI invited OpenClaw founder Peter Steinberger to lead its personal AI agent development division. At the same time, Steinberger faced mounting pressure from the crypto community over his refusal to launch a project token.
A group of users independently created a token and began demanding that Steinberger officially endorse it, implement fees, and develop Web3 integrations. The pressure campaign included mass spam across Discord and the social network X. The aggressive behavior was so intense that the creator even considered deleting the project entirely.
On March 18, Steinberger publicly warned users that any crypto offers associated with his software are fraudulent.
"Any crypto offers related to my project are a scam" — Peter Steinberger (@steipete), original post
Earlier, amid the OpenClaw frenzy, a paid service for removing the AI agent emerged on Chinese social media — notably, users had previously been paying to install it.
Frequently Asked Questions
Is there an official OpenClaw crypto token?
No. OpenClaw founder Peter Steinberger has no interest in launching a token. On March 18, he publicly stated that all crypto offers tied to his project are scams.
How does the OpenClaw phishing attack work?
Scammers create fake GitHub accounts and tag users in discussions, claiming they've been selected to receive $5,000 in CLAW tokens. Victims are directed to a cloned website where connecting a wallet results in stolen funds.
How to protect yourself from the CLAW token phishing scam?
OX Security recommends blocking the domain token-claw[.]xyz, never connecting wallets to unverified sites, and reviewing recent smart contract approvals. Any token airdrop announcements on GitHub should be treated as suspicious.
Why are scammers targeting OpenClaw users?
OpenClaw has rapidly gained popularity with over 324,000 GitHub stars, ranking ninth globally. The founder's invitation to join OpenAI further amplified attention, making it an attractive target for phishing campaigns.
Who created the unofficial OpenClaw token?
A group of crypto enthusiasts independently created a token without the developer's consent. They demanded Steinberger officially endorse it and implement Web3 integrations, launching spam campaigns on Discord and X.
Read also
GPU Memory Attacks, $21B in Cybercrime Losses, and Chrome's Chip-Level Protection: Cybersecurity Roundup
The FBI reported record $21 billion in cybercrime losses for 2025, Google introduced hardware-bound session protection in Chrome, and researchers demonstrated three new attack methods targeting Nvidia GPU memory.
Infostealer Targets 700+ Crypto Wallets, Hackers Use Solana as Dead Drop, and UK Sanctions Xinbi
Weekly cybersecurity roundup: Torg Grabber infostealer targets 728 browser-based crypto wallets, GlassWorm campaign hides C2 addresses in Solana blockchain, and the UK imposes sanctions on crypto marketplace Xinbi linked to scam compounds.
AI Audit Uncovers Critical Liveness Bug in Ethereum's Nethermind Client
Octane Security's AI discovered a high-severity vulnerability in the Nethermind execution client that could have halted block production for 38% of Ethereum mainnet validators. The Ethereum Foundation awarded a maximum $50,000 bounty.
Fake Ledger Live App in Apple's App Store Used to Steal $9.5M in Crypto
A fraudulent Ledger Live app that passed Apple's App Store review was used to siphon over $9.5M in cryptocurrency from more than 50 victims across multiple blockchain networks.
April 2026 Sets All-Time Record for Number of Crypto Hacks
April 2026 saw a record-breaking 24 crypto hacks resulting in approximately $651 million in total losses. Kelp and Drift Protocol suffered the largest exploits.
Drift Protocol on Solana Hacked for $280M in Sophisticated Durable Nonce Attack
Solana-based DeFi platform Drift Protocol lost at least $280 million in a hack on April 1. The DRIFT token dropped 37% while Circle faces criticism for failing to freeze stolen USDC.