111. OpenClaw Token Scam/Phishing Attack Analysis

Basic Information

Product Description

The explosive growth of OpenClaw has attracted a large number of scammers and malicious attackers. From the $CLAWD token Rug Pull during the brand renaming period, to the $5,000 fake token airdrop phishing on GitHub, to the discovery of 1,184 malicious skills on ClawHub, the OpenClaw ecosystem faces serious security threats. Founder Peter Steinberger has repeatedly publicly stated that OpenClaw will never issue an official token, and any project claiming to be an OpenClaw token is a scam.

Core Events

1. $CLAWD Rug Pull

• Time: During the brand renaming from Clawdbot to Moltbot
• Method: Scammers seized the opportunity when the old GitHub and X accounts were released
• Promotion: Used hijacked accounts to claim that Steinberger had launched an official token
• Result: $CLAWD market cap reached $16 million, then dropped by 90%
• Platform: Deployed on Solana

2. GitHub $CLAW Phishing Attack (March 2026)

• Method: Created fake GitHub accounts, tagged OpenClaw contributors in Issues
• Bait: Claimed to win $5,000 CLAW tokens
• Phishing Page: Highly mimicked openclaw.ai, added wallet connection prompts
• Malicious Code: Highly obfuscated wallet-stealing code in eleven.js
• C2 Server: watery-compost.today
• Supported Wallets: MetaMask, WalletConnect, Trust Wallet
• Redirect Method: Redirected via Google link to token-claw.xyz
• Discoverer: OX Security cybersecurity company
• Status: Malicious accounts deleted within hours, no confirmed victims

3. ClawHub Malicious Skills

• Quantity: 1,184 malicious skills detected
• Type: Distributed wallet-stealing malware
• Channel: Distributed via OpenClaw's official skill market

4. Discord Scam

• Event: Scammers hijacked accounts to promote fake tokens on Discord
• Result: OpenClaw banned all cryptocurrency-related discussions

Business Model (Scammers)

• Fake token issuance → Rug Pull for profit
• Phishing pages → Wallet authorization to steal assets
• Malicious skills → Steal user credentials and crypto assets
• Social engineering attacks → Exploit OpenClaw brand trust

Target Victims

• OpenClaw GitHub contributors and followers
• OpenClaw users in the cryptocurrency community
• Discord community members
• Users installing unverified skills
• Novice developers

Protection Recommendations

• Always remember: OpenClaw has no official token, any token is a scam
• Do not connect wallets: Unless on officially verified websites
• Review skills: Check source code and permissions before installing skills
• Verify links: Do not click on suspicious links in Issues
• Official channels: Only obtain information from official channels

Relationship with OpenClaw Ecosystem

These security incidents have had a significant impact on the OpenClaw ecosystem:

1. Increased security awareness: Promoted the development of security skills like ClawShield
2. CoinFello/MetaMask solution: Highlighted the need for a secure wallet interaction framework
3. Birth of IronClaw: Security vulnerabilities were a direct driver for the birth of IronClaw (Rust rewrite)
4. Community policy: OpenClaw banned cryptocurrency discussions on Discord
5. Skill review: Strengthened ClawHub's skill review mechanism
6. Security standards: Promoted the adoption of security standards like ERC-7710 in the proxy field

References

• OpenClaw GitHub phishing scam - CoinDesk
• Are CLAW Tokens Legit? - CCN
• OpenClaw Developers Targeted - OX Security
• OpenClaw Bans All Crypto Mentions
• How the Attack Actually Worked - DEV Community