GitHub Phishing Campaign Targets OpenClaw Developers

Security firm OX Security has disclosed that a new phishing campaign targeting developers associated with the OpenClaw project is spreading on GitHub. Attackers impersonate project members using fake accounts, tagging developers with @mentions in issues or comments. They lure victims with pitches like “free airdrops” and “claim CLAW tokens worth about $5,000,” then drive them to spoofed websites.

The core goal of the campaign is to trick users into connecting a crypto wallet, which can trigger the risk of wallet assets being transferred out. The report notes that the phishing pages mimic domains and visual styling associated with OpenClaw to lower victims’ suspicion. It also mentions that OpenClaw itself has been described as having an anti-crypto stance and has previously been tied to scam context involving fake tokens, making these “token airdrop” lures more deceptive.

For security guidance, OX Security advises developers not to connect wallets on unverified websites, to be cautious of airdrop invitations from non-official GitHub accounts, and to add exposed suspicious domains (such as token-claw.xyz and watery-compost.today) to blocking rules and blacklists. As the open-source and AI agent ecosystem heats up, social engineering and phishing aimed at developer communities may continue to rise, and stronger account verification and security warning mechanisms from projects and platforms may draw increased attention.