Ox Security - OpenClaw Phishing Attack Analysis

Basic Information

• Analyzing Organization: OX Security
• Discovery Time: March 2026
• Attack Type: GitHub Phishing Attack/Cryptocurrency Wallet Theft
• Official Website: https://www.ox.security
• Type: Security Incident Analysis
• Source: https://www.ox.security/blog/openclaw-github-phishing-crypto-wallet-attack/

Incident Description

OX Security detected an active phishing campaign in March 2026, where attackers abused the OpenClaw name to spread malicious content on GitHub. The attackers lured OpenClaw developers into connecting their cryptocurrency wallets by impersonating a $CLAW token airdrop, leading to wallet theft.

Attack Mechanism

Propagation Methods

• Created fake GitHub accounts
• Opened Issue discussions in attacker-controlled repositories
• Tagged numerous GitHub developers
• Claimed recipients won $5,000 worth of CLAW tokens
• Used GitHub Star feature to identify users interested in OpenClaw-related repositories

Technical Details

• Cloned the openclaw.ai official website, almost identical
• Key difference: Added a "Connect Your Wallet" button
• All malicious code concentrated in a single highly obfuscated JavaScript file: eleven.js
• Collected wallet data (addresses and transaction details) and transmitted it to the attackers

Attack Infrastructure

• Redirect chain pointed to the domain token-claw.xyz
• Command and control server hosted on watery-compost.today
• Malicious accounts deleted within hours of creation
• Attack campaign remains active and continuously evolving

Attack Status

• Malicious accounts were deleted by GitHub within hours of creation
• No confirmed theft cases reported yet
• However, researchers warn that the attack campaign is still active and evolving
• Covered by multiple media outlets including CoinDesk, CryptoTimes, and DailyCoin

Defense Recommendations

• Be cautious of any GitHub messages claiming to offer free tokens
• Do not click on suspicious links or connect wallets to unknown websites
• Verify the authenticity of all OpenClaw-related websites
• Use official channels to obtain OpenClaw information
• Report suspicious GitHub activities

Relationship with the OpenClaw Ecosystem

This phishing attack highlights the risks of social engineering attacks brought by OpenClaw's rapid growth. Attackers exploited OpenClaw's popularity and the activity of its developer community to carry out targeted attacks. OX Security's timely discovery and analysis help the community stay vigilant, but also expose the systemic risk of brand trust being abused in the open-source ecosystem.