Overview
- Attackers spun up short‑lived GitHub accounts that opened issues and tagged developers with claims of a $5,000 $CLAW allocation.
- Targets were redirected to a lookalike of openclaw.ai that added a malicious “Connect your wallet” prompt built to steal funds.
- Researchers deobfuscated a script dubbed eleven.js, finding command‑and‑control traffic, user‑action tracking, and a “nuke” routine that wipes traces from local storage.
- OX Security published indicators, including the domains token-claw[.]xyz and watery-compost[.]today, plus a suspected attacker wallet address, while noting no confirmed victims or observed transfers.
- The campaign appears to target users who starred OpenClaw repositories, and OX Security urges blocking the flagged domains, treating giveaway issues as suspicious, avoiding unverified wallet connections, and revoking recent approvals.