As open-source AI agent project OpenClaw has surpassed 320,000 stars on GitHub and risen to the top ten repositories worldwide, hackers are eyeing this lucrative target. Security firm OX Security has reported recent large-scale phishing campaigns targeting developers, where hackers use GitHub’s tagging feature to spread false messages about “claiming $5,000 CLAW tokens,” tricking users into clicking links and draining their crypto wallets.
(Background: Full transcript of Jensen Huang’s GTC 2026 speech: AI demand reaches trillions of dollars, computing power jumps 350 times, OpenClaw turns every company into AaaS)
(Additional context: China’s Ministry of State Security warns of “Lobster Farming”: OpenClaw contains four major security mines, your device could be compromised)
Table of Contents
Toggle
- GitHub “Tagging” Feature Hijacked by Malicious Actors
- “Pixel-perfect” Website Cloning Hidden Wallet Drainers
- Founder Urgently Clarifies: No Token Promotions for OpenClaw
- Multiple Attack Vectors: Fake Installers and Malicious Plugins
Amid the wave of AI Agents, popular open-source projects are becoming new battlegrounds for targeted hacker attacks. According to a security alert issued by OX Security on March 18, a “wallet draining” operation targeting OpenClaw supporters is currently underway.
GitHub “Tagging” Feature Hijacked by Malicious Actors
This attack has caught many veteran developers off guard due to its use of “living-off-the-land” social engineering tactics. Hackers leverage the GitHub API to filter high-value targets who have starred (liked) the OpenClaw project, then open discussion threads in malicious repositories and simultaneously tag dozens of developers.
Since these notifications come from GitHub’s official email address ([email protected]), they are highly convincing. The attackers claim that the recipient has been selected to receive a $5,000 “CLAW” token reward, luring victims to phishing sites.
“Pixel-perfect” Website Cloning Hidden Wallet Drainers
According to OX Security’s technical analysis, hackers have set up malicious domains like token-claw[.]xyz, which nearly perfectly replicate the official OpenClaw website (openclaw.ai). However, these phishing sites include a critical “Connect your wallet” button.
Once clicked, a hidden “Wallet Drainer” script activates, supporting popular wallets like MetaMask and WalletConnect. The obfuscation script eleven.js communicates with the C2 server watery-compost[.]today, and after user authorization, instantly transfers all assets from the account.
Founder Urgently Clarifies: No Token Promotions for OpenClaw
In response to this aggressive attack, OpenClaw founder Peter Steinberger issued a stern warning on X (formerly Twitter):
“Everyone, if you receive emails or visit websites claiming to be related to OpenClaw and offering tokens, it’s definitely a scam. OpenClaw is a non-profit project, and we will never run such promotions.”
Folks, if you get crypto emails from websites claiming to be associated with openclaw, it’s ALWAYS a scam.
We would never do that. The project is open source and non-commercial. Use the official website. Be sceptical of folks trying to build commercial wrappers on top of it.
— Peter Steinberger 🦞 (@steipete) March 18, 2026
Multiple Attack Vectors: Fake Installers and Malicious Plugins
In fact, the security threat to OpenClaw extends beyond this. Earlier this month, cybersecurity researchers uncovered additional risks:
- Fake Installers: Malicious repositories leverage Bing AI search result rankings to distribute fake OpenClaw installers embedded with Vidar info-stealing trojans.
- NPM Supply Chain Attacks: Hackers released malicious packages like @openclaw-ai/openclawai, which deploy GhostLoader remote access trojans upon installation.
- ClawHub Malicious Plugins: In the “Skills” store designed for OpenClaw, up to 12% of plugins were found to contain AMOS info-stealing malware.
Currently, OpenClaw ranks ninth globally in popularity on GitHub. Security experts urge all developers to avoid testing unknown AI plugins on machines containing enterprise credentials or large digital asset stores, and to reject any “blind signature” authorization requests.
Disclaimer: The information on this page may come from third parties and does not represent the views or opinions of Gate. The content displayed on this page is for reference only and does not constitute any financial, investment, or legal advice. Gate does not guarantee the accuracy or completeness of the information and shall not be liable for any losses arising from the use of this information. Virtual asset investments carry high risks and are subject to significant price volatility. You may lose all of your invested principal. Please fully understand the relevant risks and make prudent decisions based on your own financial situation and risk tolerance. For details, please refer to
Disclaimer.
Related Articles
Litecoin Sees First Privacy Layer Hack: MWEB Zero-Day Vulnerability Triggered 13-Block Reorganization
According to The Block, the Litecoin Foundation confirmed that the MWEB privacy layer suffered a zero-day vulnerability. The attacker used older nodes to make forged MWEB transactions appear valid, causing a rollback of 13 blocks on the main chain (about 3 hours), and performing double-spends against cross-chain exchanges; NEAR Intents exposed about $600k, and the mining pool was also hit with a DoS. A patched version has been released—please upgrade immediately. Main-chain balances are not affected, but it highlights the trade-off between reducing observability and increasing detection difficulty for the privacy layer.
ChainNewsAbmedia20m ago
Aave, Kelp, LayerZero Seek $71M Frozen ETH Release from Arbitrum DAO
Aave Labs, Kelp DAO, LayerZero, EtherFi, and Compound filed a Constitutional AIP on the Arbitrum forum Saturday morning requesting the network's DAO release approximately $71 million in frozen ETH to support rsETH recovery efforts following last week's $292 million Kelp DAO exploit. The proposal
CryptoFrontier1h ago
Litecoin Suffers Deep Chain Reorganization After MWEB Zero-Day Exploit, Erasing Three Hours of History
Gate News message, April 26 — Litecoin experienced a deep chain reorganization (reorg) on Saturday after attackers exploited a zero-day vulnerability in its MimbleWimble Extension Block (MWEB) privacy layer, according to the Litecoin Foundation. The bug allowed mining nodes running older software to
GateNews7h ago
Apecoin Insider Turns $174K Into $2.45M in One Day With 14x Trade on Both Sides of 80% Surge
An anonymous wallet with no prior trading history turned $174,000 worth of ether into $2.45 million by trading Apecoin on both sides of an 80% price surge in a single day.
Key Takeaways:
Wallet 0x0b8a converted $174,000 in ETH into a leveraged Apecoin long, exiting near the top for a $1.79M
Coinpedia7h ago
Hong Kong Police Dismantle Cross-Border Fraud Ring Targeting Overseas Students, Seizing HK$5M in Assets
Gate News message, April 26 — Hong Kong police have dismantled a cross-border fraud ring that targeted overseas Chinese students studying abroad, according to local media. The syndicate impersonated law enforcement officials and coerced victims into traveling to Hong Kong to purchase gold bars as "c
GateNews7h ago
Litecoin Reorg Undoes MWEB Privacy Layer Exploit
Litecoin underwent a deep chain reorganization on Saturday after attackers exploited a zero-day vulnerability in its MimbleWimble Extension Block (MWEB) privacy layer, according to the Litecoin Foundation. The incident resulted in a three-hour reorg that erased invalid transactions from the
CryptoFrontier13h ago
