Close Menu
FSNN | Free Speech News NetworkFSNN | Free Speech News Network
  • Home
  • News
    • Politics
    • Legal & Courts
    • Tech & Big Tech
    • Campus & Education
    • Media & Culture
    • Global Free Speech
  • Opinions
    • Debates
  • Video/Live
  • Community
  • Freedom Index
  • About
    • Mission
    • Contact
    • Support
Trending

A Pipeline Company Seized Their Land and Left Them With a $383,000 Bill. What Will the Supreme Court Say?

6 minutes ago

Mexican journalist Josué Martínez shot dead in Puebla, fourth killed in over a month

11 minutes ago

Galaxy Expands Texas Footprint with Texas Tech Stadium Deal

23 minutes ago
Facebook X (Twitter) Instagram
Facebook X (Twitter) Discord Telegram
FSNN | Free Speech News NetworkFSNN | Free Speech News Network
Market Data Newsletter
Friday, July 17
  • Home
  • News
    • Politics
    • Legal & Courts
    • Tech & Big Tech
    • Campus & Education
    • Media & Culture
    • Global Free Speech
  • Opinions
    • Debates
  • Video/Live
  • Community
  • Freedom Index
  • About
    • Mission
    • Contact
    • Support
FSNN | Free Speech News NetworkFSNN | Free Speech News Network
Home»Cryptocurrency & Free Speech Finance»OpenClaw Developers Lured in GitHub Phishing Campaign Targeting Crypto Wallets
Cryptocurrency & Free Speech Finance

OpenClaw Developers Lured in GitHub Phishing Campaign Targeting Crypto Wallets

News RoomBy News Room4 months agoNo Comments4 Mins Read1,182 Views
Share Facebook Twitter Pinterest Copy Link LinkedIn Tumblr Email VKontakte Telegram
OpenClaw Developers Lured in GitHub Phishing Campaign Targeting Crypto Wallets
Share
Facebook Twitter Pinterest Email Copy Link

Listen to the article

0:00
0:00

Key Takeaways

Playback Speed

Select a Voice

In brief

  • Attackers used fake GitHub accounts to tag developers, claiming they had won $5,000 in $CLAW tokens and directing them to a cloned OpenClaw site.
  • OX Security said the phishing page used heavily obfuscated JavaScript and a separate C2 server to drain connected wallets and hide activity.
  • The accounts were created last week and deleted within hours of launch, with no confirmed victims so far.

OpenClaw’s viral rise has drawn an ugly new side effect: crypto scammers are now using the AI agent project’s name to target developers in a phishing campaign aimed at draining their wallets. 

Security platform OX Security published a report on Wednesday detailing an active phishing campaign targeting OpenClaw in which threat actors create fake GitHub accounts, open issue threads in attacker-controlled repositories, and tag dozens of developers. 

The scammer posts GitHub issues telling developers, “Appreciate your contributions on GitHub. We analyzed profiles and chose developers to get OpenClaw allocation,” and claims they have won $5,000 worth of $CLAW tokens, directing them to a fake website that closely resembles openclaw.ai. The site includes an added “Connect your wallet” button designed to trigger wallet theft.

OX Security research team lead and a co-author of the report, Moshe Siman Tov Bustan, told Decrypt they uncovered evidence the scam attempt bears resemblance to a campaign that “spread on GitHub, relating to Solana.”

“[We’re still] analyzing the behavior and the relation of these campaigns,” Bustan added.

The phishing campaign surfaced weeks after OpenAI CEO Sam Altman announced OpenClaw creator Peter Steinberger would lead its push into personal AI agents, with OpenClaw transitioning to a foundation-run open-source project. 

That mainstream profile and the framework’s association with one of the most prominent names in AI make its developer community an increasingly attractive target.

OX Security said it had previously assessed the attackers may be using GitHub’s star feature to identify users who have starred OpenClaw-related repositories, making the lure appear more targeted and credible.

The platform’s analysis found the wallet-stealing code buried inside a heavily obfuscated JavaScript file called “eleven.js.”

“According to who that was targeted and the user’s reports on GitHub,” the campaign targeted only users who “starred the OpenClaw GitHub repository,” Bustan said. “During our analysis, we found only one address belonging to the threat actor, which hadn’t sent or received any funds yet.”

After deobfuscating the malware, researchers identified a built-in “nuke” function that wipes all wallet-stealing data from the browser’s local storage to frustrate forensic analysis. 

The malware tracks user actions via commands such as PromptTx, Approved, and Declined, relaying encoded data, including wallet addresses, transaction values, and names, back to a C2 server.

Researchers identified one crypto wallet address they believe belongs to the threat actor, 0x6981E9EA7023a8407E4B08ad97f186A5CBDaFCf5, used to receive stolen funds. 

The accounts were created last week and deleted within hours of launch, with no confirmed victims so far, according to OX Security.

Decrypt has reached out to Peter Steinberger for comment.

OpenClaw’s crypto magnet problem

OpenClaw, a self-hosted AI agent framework that lets users run persistent bots connected to messaging apps, email, calendars, and shell commands, hit 323,000 GitHub stars following its acquisition by OpenAI last month. 

That visibility quickly attracted bad actors, with OpenClaw creator Peter Steinberger saying crypto spam flooded OpenClaw’s Discord almost “every half hour,” forcing bans and ultimately a blanket prohibition after what he described to Decrypt as “nonstop coin promotion.”

Unlike chat-based AI tools, OpenClaw agents persist, wake on a schedule, store memory locally, and execute multi-step tasks autonomously.

OX Security recommends blocking token-claw[.]xyz and watery-compost[.]today across all environments, avoiding connecting crypto wallets to newly surfaced or unverified sites, and treating any GitHub issue promoting token giveaways or airdrops as suspicious, particularly from unknown accounts. 

Users who recently connected a wallet should revoke approvals immediately, the platform warned. 

Editor’s note: Adds comment from OX Security’s Bustan

Daily Debrief Newsletter

Start every day with the top news stories right now, plus original features, a podcast, videos and more.

Read the full article here

Fact Checker

Verify the accuracy of this article using AI-powered analysis and real-time sources.

Get Your Fact Check Report

Enter your email to receive detailed fact-checking analysis

5 free reports remaining

Continue with Full Access

You've used your 5 free reports. Sign up for unlimited access!

Already have an account? Sign in here

Share. Facebook Twitter Pinterest LinkedIn Tumblr Email Telegram Copy Link
News Room
  • Website
  • Facebook
  • X (Twitter)
  • Instagram
  • LinkedIn

The FSNN News Room is the voice of our in-house journalists, editors, and researchers. We deliver timely, unbiased reporting at the crossroads of finance, cryptocurrency, and global politics, providing clear, fact-driven analysis free from agendas.

Related Articles

Media & Culture

A Pipeline Company Seized Their Land and Left Them With a $383,000 Bill. What Will the Supreme Court Say?

6 minutes ago
Cryptocurrency & Free Speech Finance

Galaxy Expands Texas Footprint with Texas Tech Stadium Deal

23 minutes ago
Cryptocurrency & Free Speech Finance

ECB Warns Stablecoins May Drain Bank Deposits—Here’s What That Means

38 minutes ago
Media & Culture

Ctrl-Alt-Speech: Putting Some Meat On The Bans

1 hour ago
Media & Culture

Video Shows Fort Worth Cop Ticketing a Preacher for ‘Offensive’ Speech at Pride Event

1 hour ago
Cryptocurrency & Free Speech Finance

Consensys unknowingly outsourced developer work to North Korean

1 hour ago
Add A Comment

Comments are closed.

Editors Picks

Mexican journalist Josué Martínez shot dead in Puebla, fourth killed in over a month

11 minutes ago

Galaxy Expands Texas Footprint with Texas Tech Stadium Deal

23 minutes ago

ECB Warns Stablecoins May Drain Bank Deposits—Here’s What That Means

38 minutes ago

Can the government require ID before you use artificial intelligence?

1 hour ago
Latest Posts

Ctrl-Alt-Speech: Putting Some Meat On The Bans

1 hour ago

Video Shows Fort Worth Cop Ticketing a Preacher for ‘Offensive’ Speech at Pride Event

1 hour ago

Consensys unknowingly outsourced developer work to North Korean

1 hour ago

Subscribe to News

Get the latest news and updates directly to your inbox.

At FSNN – Free Speech News Network, we deliver unfiltered reporting and in-depth analysis on the stories that matter most. From breaking headlines to global perspectives, our mission is to keep you informed, empowered, and connected.

FSNN.net is owned and operated by GlobalBoost Media
, an independent media organization dedicated to advancing transparency, free expression, and factual journalism across the digital landscape.

Facebook X (Twitter) Discord Telegram
Latest News

A Pipeline Company Seized Their Land and Left Them With a $383,000 Bill. What Will the Supreme Court Say?

6 minutes ago

Mexican journalist Josué Martínez shot dead in Puebla, fourth killed in over a month

11 minutes ago

Galaxy Expands Texas Footprint with Texas Tech Stadium Deal

23 minutes ago

Subscribe to Updates

Get the latest news and updates directly to your inbox.

© 2026 GlobalBoost Media. All Rights Reserved.
  • Privacy Policy
  • Terms of Service
  • Our Authors
  • Contact

Type above and press Enter to search. Press Esc to cancel.

🍪

Cookies

We and our selected partners wish to use cookies to collect information about you for functional purposes and statistical marketing. You may not give us your consent for certain purposes by selecting an option and you can withdraw your consent at any time via the cookie icon.

Cookie Preferences

Manage Cookies

Cookies are small text that can be used by websites to make the user experience more efficient. The law states that we may store cookies on your device if they are strictly necessary for the operation of this site. For all other types of cookies, we need your permission. This site uses various types of cookies. Some cookies are placed by third party services that appear on our pages.

Your permission applies to the following domains:

  • https://fsnn.net
Necessary
Necessary cookies help make a website usable by enabling basic functions like page navigation and access to secure areas of the website. The website cannot function properly without these cookies.
Statistic
Statistic cookies help website owners to understand how visitors interact with websites by collecting and reporting information anonymously.
Preferences
Preference cookies enable a website to remember information that changes the way the website behaves or looks, like your preferred language or the region that you are in.
Marketing
Marketing cookies are used to track visitors across websites. The intention is to display ads that are relevant and engaging for the individual user and thereby more valuable for publishers and third party advertisers.