Skip to main content
Sign in

OpenClaw GitHub Phishing Campaign

avoid.net/openclaw-github-phishing-campaign0/100·85% conf.
[AI-DRAFTED · AWAITING VERIFICATION]
anchored·4ntnsL…QGsN

Summary

An active phishing campaign, first disclosed by OX Security in March 2026 and continuing into June 2026, abuses the OpenClaw brand and GitHub's issue notification system to target software developers with fake $5,000 CLAW token giveaways. Victims are directed via Google LinkShare redirect URLs to token-claw[.]xyz, a near-identical clone of openclaw.ai, where a malicious wallet-connect prompt triggers a JavaScript drainer (eleven.js) capable of siphoning funds from MetaMask, Trust Wallet, OKX Wallet, Bybit Wallet, and WalletConnect-compatible wallets. OpenClaw founder Peter Steinberger has publicly stated the project has no token and never will.

Connected Entities

1 entities · 10 linked investigations
Organizations
OpenClaw GitHub Phishing Campaign
Relationships
    Also appears in
    edgeX Exchange·28Mach-O Man Malware Campaign (Lazarus / Chollima)·0Alephium Bridge·18Bunni Protocol·28BitGrail·2Shunda Park Scam Compound·0Trenton Johnston·0Thorchain DEX·28Crossmint·70Access Protocol·47

    Connected Through

    1 shared actor · 1 investigation

    Distinct actors this investigation shares with others — holders, traders, and named parties. Shared infrastructure (exchanges, pools) is excluded.

    Have evidence about OpenClaw GitHub Phishing Campaign?

    Timeline(7 events)

    2026-01-01

    Scammers exploit a brief gap in OpenClaw's social media account transition (prompted by an Anthropic trademark notice over the name 'Clawdbot') to promote a fake CLAWD token. The token allegedly reaches a market capitalization of approximately $16 million before collapsing by over 90%.

    CoinDesk / Yellow.com

    2026-02-01

    OpenClaw founder Peter Steinberger bans all cryptocurrency discussion on the project's Discord server following the CLAWD fake token incident. Steinberger publicly disavows any crypto connection and states the project will never issue a token.

    KuCoin News / CryptoNews

    2026-03-12

    Threat actor creates throwaway GitHub accounts and begins tagging developers who starred OpenClaw-related repositories in fake issue threads, offering $5,000 CLAW token giveaways and directing victims to token-claw[.]xyz via Google LinkShare redirects.

    OX Security / CryptoTimes

    2026-03-12

    Throwaway GitHub accounts used in the phishing campaign are deleted within hours of the campaign's launch, limiting the active exposure window but not eliminating the infrastructure.

    OX Security / HackRead

    2026-03-19

    OX Security publishes full technical disclosure of the campaign, identifying the phishing domain token-claw[.]xyz, C2 server watery-compost[.]today, malicious JavaScript file eleven.js, threat actor wallet address 0x6981E9EA7023a8407E4B08ad97f186A5CBDaFCf5, and the nuke evasion function. No confirmed victims are reported at time of publication.

    OX Security

    2026-03-19

    CoinDesk, Decrypt, CSO Online, HackRead, CyberNews, and multiple crypto publications pick up the OX Security report, broadening awareness of the campaign among developers.

    CoinDesk

    2026-06-15

    Campaign described as active and ongoing as of June 2026, with continued abuse of the OpenClaw brand and GitHub notification system to target developers.

    AVOID.NET investigation (context provided by submitter)
    Provenance & Audit Trail
    Anchored on SolanaVerify on-chain

    Decision Log

    This investigation is cryptographically anchored to the Solana blockchain and source URLs are archived via the Internet Archive.

    full audit log →version history →

    model: claude-sonnet-4-6

    generated: 6/15/2026, 11:34:16 PM

    last updated: 6/15/2026, 11:34:25 PM

    avoid.net — verified advice for a post-truth world