ClawHosters ClawHosters
Subs -30% SUB30
OpenClaw Developers Targeted in GitHub Phishing Campaign With Fake $5,000 CLAW Token Airdrops
$ ./blog/news
News

OpenClaw Developers Targeted in GitHub Phishing Campaign With Fake $5,000 CLAW Token Airdrops

ClawHosters
ClawHosters by Daniel Samer
3 min read

If you starred an OpenClaw repo on GitHub recently, check your notifications. Scammers are tagging developers in fake issues promising $5,000 in "CLAW tokens." There is no CLAW token. There never was.

Security firm OX Security disclosed the campaign on March 18, 2026. Attackers created throwaway GitHub accounts, opened issues in repositories they controlled, and mass-tagged developers who had publicly starred OpenClaw repos. The pitch was simple: you've been selected for a token airdrop, click here, connect your wallet.

How the Attack Works

The targeting is what makes this one interesting. Attackers scraped GitHub's public star data to build their list. If you starred an OpenClaw repo, your username was fair game. That's why the outreach felt personal rather than spammy.

The phishing site itself was a near-perfect clone of openclaw.ai with one addition: a "Connect your wallet" button. As CoinDesk reported, the page loaded an obfuscated JavaScript file called eleven.js that ran entirely in the browser. No download required. Once a victim approved the wallet connection, the drainer went to work.

The technically notable part: eleven.js included a built-in "nuke" function that wiped all evidence from local storage after execution. Anti-forensics baked right into the malware. The script communicated with a C2 server at watery-compost[.]today and routed funds to wallet 0x6981...FCf5.

Official Response

OpenClaw creator Peter Steinberger warned publicly: "If you get crypto emails from websites claiming to be associated with OpenClaw, it's ALWAYS a scam. We would never do that." As of March 23, no confirmed victims have been reported, and Decrypt noted the fake GitHub accounts were deleted within hours of the campaign launch.

This Isn't the First Time

The OpenClaw brand has been a magnet for crypto scammers throughout 2026. Back in January, bad actors hijacked old "Clawdbot" social handles during a rebrand and pumped a fake $CLAWD Solana token to a $16 million market cap before it collapsed. That incident led Steinberger to ban all crypto discussion from the project's Discord entirely.

To be clear: ClawHosters has no crypto token. OpenClaw has no crypto token. Neither ever will. Any claim otherwise is a scam.

How to Protect Yourself

Treat any GitHub issue or notification promoting a token giveaway as suspicious. Don't connect your wallet to sites you weren't already planning to visit. And if you want to keep your OpenClaw instance secure, focus on the basics outlined in our security documentation.

You can also run the OpenClaw Safety Scanner against your deployment to check for known vulnerabilities.

Frequently Asked Questions

No. ClawHosters is a managed hosting service built on the OpenClaw framework. We have no crypto token, no airdrop program, and no affiliation with any blockchain project. If someone claims otherwise, it's a scam.

Check your GitHub notifications for issues tagging you in repositories you don't recognize. The attackers specifically targeted users who starred OpenClaw-related repos. The fake accounts have since been deleted, but the notifications may still be visible.

Move your remaining funds to a new wallet immediately. The `eleven.js` drainer may have already transferred assets, and its nuke function erases local evidence of the attack. Report the incident to your wallet provider and consider filing a report with your local cybercrime authority.

Sources

  1. 1 OX Security
  2. 2 CoinDesk reported
  3. 3 warned publicly
  4. 4 Decrypt
  5. 5 hijacked old "Clawdbot" social handles
  6. 6 OpenClaw instance secure
  7. 7 security documentation
  8. 8 OpenClaw Safety Scanner
$ ./related --posts