Developers behind OpenClaw, an open-source AI project, were targeted in a GitHub-based phishing campaign that used fake token rewards to trick users into connecting crypto wallets. Cybersecurity firm OX Security researched the attack and said it had not identified any victims to date. OpenClaw creator Peter Steinberger also warned on X that unsolicited emails or messages claiming ties to the project are fraudulent and urged people to use only the official site. “We would never do that. The project is open source and non-commercial,” he said.
According to OX Security, attackers set up bogus GitHub accounts and posted messages inside repositories they controlled, tagging developers to boost visibility. Those posts falsely told recipients they had won $5,000 worth of a supposed token called “CLAW,” which does not exist and is not associated with the project. The messages linked to a cloned site designed to mimic OpenClaw’s official page; that site prompted visitors to connect crypto wallets, a common phishing technique used to harvest credentials or request malicious approvals.
Social media reports show many developers quickly recognized and exposed the campaign as a scam. The incident came after earlier warnings by Steinberger that OpenClaw will never launch a cryptocurrency and that any token claiming his involvement is fraudulent. “I will never do a coin. Any project that lists me as coin owner is a scam,” he posted in January.
OpenClaw, launched in November 2025, is a free, open-source autonomous AI agent that runs locally to manage files, software, and browser tasks through chat platforms like WhatsApp and Telegram. The project drew rapid attention and community growth, reaching more than 465,000 subscribers on X soon after its release. To limit crypto-related confusion and scams, OpenClaw’s team banned Bitcoin and crypto discussions in the official Discord in February.
Cointelegraph and other observers note this episode fits a larger trend of attackers shifting to phishing and approval scams aimed at popular crypto and open-source communities. Users are advised to verify messages independently, avoid connecting wallets to any site that isn’t official, and treat unexpected token offers or wallet connection requests as likely scams.