Hackers Are Targeting AI Developers With Fake Token Airdrops

Cybersecurity firm OX Security has identified a widespread phishing campaign targeting developers who interact with OpenClaw, an open-source AI agent project with 324,000 GitHub stars, using fake token airdrop offers to drain crypto wallets and steal SSH credentials.

How the Attackers Find Their Targets

According to report by OX, the campaign begins with data collection rather than mass distribution. Attackers use the GitHub API to scrape profiles of developers who have starred or contributed to OpenClaw repositories. That targeting approach means victims are not selected randomly. They are selected because their public GitHub activity confirms they are active in the AI development space and have a demonstrated interest in the specific project being impersonated.

Distribution exploits GitHub’s own notification infrastructure. Attackers create fake GitHub accounts and open issue threads or discussions in repositories they control. They then mass-tag the scraped developer profiles, triggering legitimate notification emails sent from notifications@github.com. Because the sending address is genuine, standard spam filters do not catch them. The email looks exactly like a normal GitHub mention notification.

The bait is a $5,000 CLAW token airdrop presented as a reward for the developer’s contributions to the project.

What Happens When a Developer Clicks

Victims are directed to a cloned version of the official openclaw.ai website, typically hosted on malicious domains such as token-claw[.]xyz. The fake site is visually indistinguishable from the legitimate one. It features a Connect Wallet button. Once a developer connects their wallet, obfuscated JavaScript initiates a draining sequence. The specific file identified by researchers is named eleven.js.

The malware includes a forensic evasion function researchers are calling a nuke command. After the wallet drain completes, the script wipes browser local storage to remove evidence of the attack and complicate post-incident investigation.

The campaign runs a parallel attack vector through the npm package registry. Malicious packages including @openclaw-ai/openclawai are listed as official installers for the project. Developers who install them deploy the GhostLoader trojan, which targets SSH keys and crypto wallet files stored on the local machine. That vector bypasses wallet connection entirely and compromises the developer’s broader credential set.

Why OpenClaw Is the Target

The choice of OpenClaw as the impersonation target is not arbitrary. The project’s rapid growth to 324,000 GitHub stars creates a large, identifiable, and technically sophisticated pool of targets. Developers active in AI agent development are more likely to hold crypto assets and interact with wallet infrastructure than a general software development audience.

The campaign also exploits a credibility gap. OpenClaw is a non-commercial open-source project with no token. Developers unfamiliar with that detail have no immediate reason to doubt a token airdrop framed as a community reward. The $5,000 figure is large enough to motivate action but not so large as to trigger immediate skepticism.

What OpenClaw’s Creator Says

Peter Steinberger, who created OpenClaw, has issued a direct public warning. Any crypto-themed outreach connected to the project is always a scam. Steinberger was explicit that OpenClaw has no token, has no plans for a token, and will never conduct crypto-themed outreach of any kind. The project is non-commercial and open-source by design.

Security researchers recommend that developers immediately block the domain token-claw[.]xyz and treat any unsolicited GitHub mention referencing token allocations or airdrops as fraudulent regardless of how the notification arrives. The legitimate-looking sender address is the specific mechanism making this campaign difficult to filter automatically.

The post Hackers Are Targeting AI Developers With Fake Token Airdrops appeared first on ETHNews.