Developers of OpenClaw, a popular open-source AI project, have been targeted by phishing attacks on GitHub that use fake token rewards to lure users into connecting crypto wallets. Cybersecurity firm OX Security reported the scam and said it had found no victims so far. OpenClaw creator Peter Steinberger also warned on X that any emails or messages claiming association with the project are scams and urged users to visit only the official site. “We would never do that. The project is open source and non-commercial,” he said.
According to OX Security, attackers created fake GitHub accounts and posted messages in repositories they controlled, tagging developers to increase visibility. The posts claimed recipients had won $5,000 worth of “CLAW,” a non-existent cryptocurrency falsely tied to the project, and directed them to a cloned website that mimicked OpenClaw’s official page. The cloned site prompted users to connect crypto wallets — a common phishing tactic used to steal credentials or obtain malicious approvals.
Social media reports indicate many developers recognized and labeled the campaign as a scam quickly. The attack follows earlier warnings from OpenClaw’s creator that the project will never launch a cryptocurrency and that any token claiming association with him is fraudulent. “I will never do a coin. Any project that lists me as coin owner is a scam,” Steinberger posted in January.
Launched in November 2025, OpenClaw is a free, open-source autonomous AI agent that runs locally to manage files, software, and browser tasks via chat platforms like WhatsApp and Telegram. The project gained significant attention and community engagement, amassing more than 465,000 subscribers on X shortly after launch. To reduce crypto-related scams and confusion, OpenClaw also confirmed a ban on Bitcoin and crypto discussions in its official Discord channel in February.
Cointelegraph notes the story follows broader trends of attackers shifting toward phishing and approval scams to exploit popular crypto and open-source ecosystems. Readers are encouraged to verify messages independently and avoid connecting wallets to sites that are not official.