OpenClaw developers are currently the target of a coordinated GitHub phishing campaign that uses the promise of free “CLAW” tokens to drain crypto wallets. The attackers are leveraging fake GitHub accounts to tag developers in repositories, directing them to a malicious site that mimics the official OpenClaw project page to harvest wallet signatures.
How the OpenClaw Phishing Scheme Works
The attack vector is a classic social engineering play tailored for the developer community. According to research from OX Security, the perpetrators created multiple fake GitHub accounts to gain traction within the ecosystem. By tagging legitimate contributors in controlled repositories, they artificially boosted the visibility of their fraudulent claims.
The bait? A promise of $5,000 worth of “CLAW” tokens. The attackers directed victims to a pixel-perfect clone of the OpenClaw website, where they were prompted to connect their crypto wallets. Once a user clicks “connect,” they are essentially signing malicious transactions that allow attackers to drain funds or gain unauthorized access to assets.
Multiple outlets, including Cointelegraph, have confirmed that this is a targeted effort to exploit the project’s rapid growth. While the industry has seen a shift toward sophisticated phishing as on-chain security improves, developer-centric platforms remain high-value targets. This mirrors the broader trend of retail gold buying as investors seek refuge from market volatility, though in this case, the "safety" of the project is being weaponized against its own community.
Is an Official CLAW Token Coming?
If you see a token claiming to be associated with OpenClaw, it is 100% a scam. OpenClaw creator Peter Steinberger has been explicit on this point for months. Following a similar warning issued in January, Steinberger reiterated that the project is strictly open-source and non-commercial.
| Feature | Status |
|---|---|
| Official Token | None |
| Project Type | Open-source AI Agent |
| Creator Stance | Anti-Token |
| Primary Risk | Wallet Draining |
“I will never do a coin. Any project that lists me as coin owner is a scam,” Steinberger stated. This is not the first time the project has had to distance itself from bad actors; in February, the official Discord channel implemented a strict ban on all Bitcoin ($BTC) and cryptocurrency discussions to mitigate these exact types of social engineering risks.
Why Developers Are Under Attack
OpenClaw’s viral success—amassing over 465,000 subscribers on X since its November 2025 launch—has made it a prime target for bad actors. As the project continues to scale its local AI agent capabilities, the community must remain vigilant. This incident serves as a reminder that even legitimate open-source projects are not immune to the hidden costs of AI abundance and the associated security vulnerabilities that come with rapid adoption.
Frequently Asked Questions
1. Did the OpenClaw team launch a CLAW token? No. The project creator, Peter Steinberger, has confirmed multiple times that there is no official token and that any project claiming otherwise is fraudulent.
2. How do I protect my wallet from this GitHub scam? Never connect your wallet to sites prompted by unsolicited GitHub tags or social media DMs. Always verify the project URL through official, long-standing channels only.
3. Are there any known victims of the CLAW phishing attack? As of the latest reports from security researchers, there have been no confirmed victims, as the community largely identified the campaign as a scam early on.
Market Signal
While this phishing campaign is isolated to the OpenClaw ecosystem, it highlights a broader trend: attackers are increasingly targeting developer communities to bypass protocol-level security. Investors holding $ETH or other assets should treat any "free token" airdrop from unverified GitHub or X accounts as a high-risk vector for wallet drainage.