GitHub Developers Targeted in Sophisticated OpenClaw Phishing Scam

The Email That Landed in My Inbox
This morning I received an email that perfectly demonstrates how threat actors are evolving their social engineering tactics. As a security professional working with adversarial ML and red team operations, I'm particularly attentive to these campaigns — and this one shows sophisticated targeting of the developer community.
Here's the full, unredacted phishing email I received:
From: GitHub Notifications notifications@github.com mailto:notifications@github.com
Thank you for your contributions on GitHub. We assessed profiles and shortlisted developers to redeem OpenClaw allocation.
Award Details & Redemption Process
Allocation: 5000.11 $CLAW
Status: Wallets are already confirmed
Action: Visit https://share.google/eGzdhAucWKKcwkZi9, register your wallet, and collect your allocation.
Authorized Builders
“..Listing real usernames on GitHub..”
Not approved this iteration?
Continue contributing on GitHub — additional airdrops are planned.
Regards|🔷|🌊|⚡
The OpenClaw Team
—
Reply to this email directly, view it on GitHub, or unsubscribe.
You are receiving this because you were mentioned.
—-
Why This Campaign Is Dangerous

1. Exploitation of Legitimate Infrastructure The attackers leverage Google Share links (https://share.google/eGzdhAucWKKcwkZi9) as the initial redirect vector. This is a legitimate Google service, which: • Bypasses email security filters that whitelist Google domains • Provides SSL/TLS encryption, appearing "secure" to victims • Redirects to attacker-controlled infrastructure after the initial hop According to OX Security's analysis of similar campaigns, the final destination is typically a cloned version of openclaw.ai with an injected "Connect your wallet" button designed to trigger wallet drainage.
2. Social Engineering Precision The email uses several psychological triggers: Technique Implementation Authority impersonation "GitHub Notifications" sender, official-sounding language Social proof List of "Authorized Builders" (legitimate GitHub usernames) Urgency/FOMO "Wallets are already confirmed" — implies immediate action needed Reciprocity "Thank you for your contributions" — rewards past behavior Specificity Precise allocation amount (5000.11) creates false legitimacy The mention of "additional airdrops are planned" establishes a long-term engagement loop, encouraging victims to maintain access to compromised wallets for future "rewards."
3. Technical Attack Chain Based on OX Security's analysis of parallel campaigns, the attack flow follows this pattern: Phishing Email → Google Share Redirect → Fake OpenClaw Site → Wallet Connect Prompt → JavaScript Drainer (eleven.js) → C2 Exfiltration (watery-compost.today) → Fund Transfer Key technical indicators identified in similar campaigns: • Malicious domain: token-claw.xyz (and variants) • C2 server: watery-compost.today • Wallet drain address: 0x6981E9EA7023a8407E4B08ad97f186A5CBDaFCf5 • Malware family: Crypto drainer with "nuke" function (localStorage wipe for anti-forensics) • Tracking commands: PromptTx, Approved, Declined — real-time victim action monitoring The JavaScript payload is heavily obfuscated and includes a built-in "nuke" function that wipes all wallet-stealing data from browser storage to frustrate incident response. The OpenClaw Context This campaign is part of a months-long harassment of the OpenClaw project by cryptocurrency scammers. Peter Steinberger, OpenClaw's creator, has been explicit: "Folks, if you get crypto emails from websites claiming to be associated with openclaw, it's ALWAYS a scam. We would never do that. The project is open source and non-commercial." Critical facts: • OpenClaw has never issued a token and never will • The project is transitioning to a foundation-run open-source model under OpenAI • Previous attacks included account hijacking, malware distribution, and unauthorized memecoin launches The attackers likely scraped GitHub star data to identify users who starred OpenClaw-related repositories, making the targeting appear personalized and credible. Attribution Assessment While definitive attribution requires forensic artifacts not present in email analysis alone, several TTPs (Tactics, Techniques, and Procedures) align with Lazarus Group (North Korean APT): Observed Behavior Lazarus TTP Match Targeting of developers/crypto users Historic focus on cryptocurrency exchanges and developers[^18^] Use of legitimate services for redirection Abuse of Google Drive, GitHub, and cloud platforms for C2 Fast-burn infrastructure Accounts created days before attack, deleted within hours[^29^] Wallet drainers with anti-forensics Consistent with DPRK cryptocurrency theft operations Alternative hypothesis: Opportunistic cybercriminals copying Lazarus methodologies. Regardless of attribution, the threat is immediate and real. Mitigation Strategies For Individual Developers
4. Verify token legitimacy • Check official project channels (Twitter/X, Discord, GitHub Discussions) • OpenClaw specifically: Any crypto email is a scam
5. URL analysis • Never click "Connect Wallet" on sites reached via email/SMS links • Verify domain: legitimate is openclaw.ai — anything else is suspicious
6. Wallet hygiene • Use burner wallets for any airdrop interactions • Immediately revoke approvals at revoke.cash https://revoke.cash if you connected to a suspicious site • Monitor for unauthorized transactions
7. GitHub security • Enable 2FA (hardware key preferred) • Review authorized OAuth applications regularly • Be suspicious of issue mentions from unknown accounts For Security Teams Block indicators: • Domains: token-claw.xyz, watery-compost.today, share.google with suspicious parameters • IP ranges associated with known C2 infrastructure • File hashes: variants of eleven.js Detection rules: • Monitor for GitHub API access patterns consistent with star-scraping • Alert on connections to cryptocurrency drainers from corporate networks • Behavioral detection: rapid sequential wallet connection attempts Conclusion This campaign represents an evolution in developer-targeted phishing. By combining: • Legitimate infrastructure abuse (Google Share, GitHub notifications) • Precision targeting via OSINT (GitHub stars, contribution history) • Psychological manipulation specific to open-source contributors ...the attackers achieve high click-through rates even among technically sophisticated victims. The golden rule remains: If it sounds too good to be true (free $5,000 in tokens), it is. Open-source projects don't do cryptocurrency airdrops. Ever. Stay vigilant, verify through independent channels, and remember that even security professionals can be targeted — this email landed in my inbox, after all. ---- Indicators of Compromise (IoCs) Type Indicator Notes URL https://share.google/eGzdhAucWKKcwkZi9 Phishing redirect (observed) Domain token-claw.xyz Fake OpenClaw site[^29^] Domain watery-compost.today C2 infrastructure[^29^] Wallet 0x6981E9EA7023a8407E4B08ad97f186A5CBDaFCf5 Attacker fund receiver[^29^] File eleven.js Obfuscated wallet drainer[^29^] ---- Have you encountered similar phishing campaigns? Share your experiences in the comments — collective intelligence is our best defense against these threats. ---- References: : BeInCrypto. "OpenClaw Creator Warns of Crypto Phishing Wave." March 19, 2026. https://beincrypto.com/openclaw-creator-warns-of-crypto-phishing-wave/ : Yahoo Tech / Decrypt. "OpenClaw Developers Lured in GitHub Phishing Campaign Targeting Crypto Wallets." March 19, 2026. https://tech.yahoo.com/cybersecurity/articles/openclaw-developers-lured-github-phishing-050725568.html : [Lazarus Group TTPs - general reference to DPRK cryptocurrency theft operations] ---