Phishing Campaign Targets OpenClaw Developers via GitHub

Severity: Medium (Score: 57.8)

Sources: Decrypt.Co, Cybersecuritynews, Csoonline, Mexc, Bitget

Summary

A phishing campaign has emerged targeting developers associated with the OpenClaw AI project, exploiting its recent popularity. Cybercriminals created fake GitHub accounts and initiated discussions in controlled repositories, claiming developers had won $5,000 in CLAW tokens. Victims were directed to a fraudulent website mimicking openclaw.ai, where they were prompted to connect their crypto wallets, leading to potential theft of funds. The malicious code was embedded in an obfuscated JavaScript file named 'eleven.js', featuring a 'nuke' function to erase traces of the attack. OX Security, which reported the campaign, noted that attackers may have used GitHub's star feature to identify targets. No confirmed victims have been reported yet, but researchers have identified a wallet address linked to the attackers. OpenClaw's creator, Peter Steinberger, has implemented strict anti-crypto policies in response to previous scams. Users are advised to avoid connecting wallets to suspicious sites and block known malicious domains. Key Points: • OpenClaw developers are targeted in a phishing campaign using fake GitHub accounts. • Scammers lure victims with false claims of winning $5,000 in CLAW tokens. • Malicious code is hidden in an obfuscated JavaScript file designed to steal wallet information.

Key Entities

• Malware (attack_type)
• Phishing (attack_type)
• openclaw.ai (domain)
• 0x6981E9EA7023a8407E4B08ad97f186A5CBDaFCf5 (eth)
• T1027 - Obfuscated Files Or Information (mitre_attack)
• T1041 - Exfiltration Over C2 Channel (mitre_attack)
• T1059.007 - JavaScript (mitre_attack)
• T1070 - Indicator Removal (mitre_attack)
• T1071 - Application Layer Protocol (mitre_attack)
• Discord (platform)
• GitHub (platform)
• Solana (platform)