CRYPTO WALLET DRAINERS

OpenClaw fake $5,000 CLAW airdrop on GitHub is a wallet drainer

A GitHub issue tags you, says you won thousands in CLAW tokens, and links a site that looks like the real project. Connect your wallet and the theft begins.

SB

SafeBrowz Threat Research Organization Security ResearchJune 17, 202611 min read

What happened: OpenClaw developers tagged in fake airdrop threads

In June 2026, security firm OX Security reported an active phishing campaign that abuses the name of OpenClaw, a popular open-source project, to run a crypto wallet drainer on GitHub itself. According to that report, the attackers create throwaway GitHub accounts and open issue threads that tag real developers, telling each tagged user they were "selected" to receive roughly $5,000 worth of a token called CLAW. The message points to a website. The website is the trap.

The reporting was picked up by several outlets, including CSO Online, Hackread, and Blockonomi. The core of the story traces to a single primary source, OX Security, so we keep our claims to what that research describes. Per OX Security, the landing page closely mimics the real OpenClaw website but adds a flow to connect major wallets such as MetaMask, WalletConnect, Trust Wallet, OKX, and Bybit. The wallet-stealing logic lived in heavily obfuscated JavaScript inside the repository, and the report noted a "nuke" function designed to erase the theft data and frustrate forensic analysis. OX Security also extracted an attacker wallet address from the code, which at the time of the report showed no transactions, meaning no confirmed victims yet.

That last detail matters. This campaign was caught early, before a clear victim count. That is the best possible moment to teach the pattern, because the pattern, not this one repo, is what will keep showing up. The official project name to verify against is openclaw.ai. Anything that merely contains the word "openclaw" in a longer domain on a free host is a different site wearing the costume.

How a fake airdrop turns into a wallet drainer

The word "airdrop" is doing a lot of quiet work in this scam. A real airdrop is a project distributing tokens to wallets that already qualify, and a legitimate claim never asks you to approve a transaction that lets a stranger move your assets. A drainer airdrop inverts that. The "claim" is the bait, and the dangerous part is the signature you are asked to approve to receive it.

Here is the chain, step by step, in plain language:

1. The hook. You get tagged in a GitHub issue, discussion, or comment. The notification email looks legitimate because it genuinely comes from GitHub. The text says you won CLAW tokens and links a claim page.
2. The clone. The page looks like the real OpenClaw site. Same logo, same colors, maybe a countdown. It shows a single inviting button: Connect Wallet.
3. The connection. You connect MetaMask or another wallet. Connecting alone usually just shares your public address. No money has moved yet. This is the moment people relax, and that is the trap.
4. The malicious signature. The page then prompts you to "claim" by signing something. Behind that friendly button is one of a few well-known dangerous actions: an approve or setApprovalForAll that grants the attacker's contract permission to move your tokens or NFTs, a Permit2 or permit signature that does the same thing off-chain, or a transaction that directly sends your assets out.
5. The sweep. Once you approve, an automated drainer moves the highest-value assets out of your wallet, often within seconds, sometimes to a chain of relay wallets.

The cruel part is that the victim does the damaging act themselves. There is no malware breaking in. You held the pen and signed. That is why the framing is built to lower your guard: a prize you "won," a brand you trust, a platform (GitHub) that feels safe. We break down the full mechanic in our guide to crypto wallet drainers, and the same approve-and-sweep pattern drove the fake Jupiter cJUP airdrop and the Hyperliquid eligibility airdrop scam.

What the scam links look like (illustrative)

The destination behind one of these GitHub tags is almost never the real domain. It is a lookalike built to read as "OpenClaw" at a glance, usually parked on a free hosting platform so it costs the attacker nothing and can be replaced the moment one URL is reported. The examples below are illustrative. The real project is openclaw.ai; the ones styled in red are the kind of free-host clone-and-claim pages SafeBrowz flags. Click one to run it through the live checker right below.

• openclaw-airdrop-claim.vercel.app
• claim-openclaw-token.pages.dev

Notice the shape. The brand name appears, but it sits on a free subdomain (.vercel.app, .pages.dev, .netlify.app, .github.io) where anyone can publish a page for free in minutes. A free-host root is not a project domain, and a brand name glued in front of a free-host suffix is the opposite of reassuring. The real OpenClaw site lives at its own registered domain, openclaw.ai, not on a giveaway subdomain with the words "claim" or "airdrop" stapled on.

Red flags that give it away every time

You do not need to know anything about OpenClaw or CLAW to spot this. The tells are structural, and they apply to every fake-airdrop drainer regardless of the brand on the message.

• You were tagged out of nowhere. A real project does not award you tokens by mentioning your username in a random GitHub issue. Notifications from GitHub are real, but anyone can open an issue and tag anyone. The platform being legitimate does not make the message legitimate.
• There is a surprise prize. "You were selected." "You won $5,000 in CLAW." You did not enter anything. Unsolicited winnings are the oldest bait there is, now wearing a crypto costume.
• The link is a connect-wallet claim page. The entire purpose of the page is to get your wallet connected and then get one signature out of you. A legitimate token distribution does not work this way.
• The domain is a free-host clone. The real project has its own domain. The claim page sits on .vercel.app, .pages.dev, .netlify.app, or .github.io, often with "claim" or "airdrop" in the name. A free subdomain is not a brand's official site.
• It pushes urgency. A countdown, a "claim within 24 hours," a "limited allocation." Urgency exists to stop you from checking the official channel.
• You are asked to sign or approve something to "claim." This is the actual attack. Receiving real tokens never requires you to approve a transaction that grants spending permission over your assets. If a claim asks you to sign an approval, stop.
• The wallet picker is suspiciously broad. A genuine project dApp integrates the wallets it supports. A drainer offers everything (MetaMask, WalletConnect, Trust, OKX, Bybit) because it wants whatever you happen to be holding.
• No official channel confirms it. Nothing on the project's real site, verified social account, or documentation mentions the airdrop. If only a tagged GitHub issue knows about your prize, there is no prize.

What SafeBrowz sees on the network

When the SafeBrowz engine looks at one of these OpenClaw claim pages, the attack reads cleanly across all three detection layers, and most of it can be caught before a single line of the page's text is even trusted.

First, the host. The destination is almost always a free-hosting subdomain. SafeBrowz treats a free-host subdomain as not-safe-by-default, because .vercel.app, .pages.dev, and similar roots host arbitrary user content. A brand name like "openclaw" sitting in front of a free-host suffix does not inherit the real project's trust. Layer 1 flags this content-free, before the page renders, which is exactly why our scan of openclaw-airdrop-claim.vercel.app returns caution rather than a fake "safe."

Second, the behavior signals. A drainer page has a distinctive fingerprint: a wallet-connect modal wired to a broad set of providers, a "claim" or "airdrop" call to action, and JavaScript that requests an approval or signature the moment a wallet connects. SafeBrowz watches for connect-wallet plus drainer-signature patterns (the approve, setApprovalForAll, and permit family) as a content-free behavioral signal, so a brand-new clone with no reputation history still trips the wire.

Third, the impersonation itself. When Layer 3 AI deep scan reads the page, a near-clone of openclaw.ai served from a non-official free host, headlined with a token claim and a connect-wallet button, is a textbook brand-impersonation profile. Content analysis catches the lookalike even when the domain is hours old and absent from every blocklist on earth. The combination, young free host plus connect-wallet plus impersonated brand, is the kind of profile that does not survive three layers.

Which dev and crypto brands get cloned next

The GitHub-tag delivery vector is the genuinely new part here, and it is portable. Tagging a developer in an issue is free, reaches a high-value technical audience, and arrives through a platform people trust by reflex. Based on the same logic, the believable next pivots are predictable.

• Any trending open-source AI or crypto repo. The bigger and faster a project grows, the better the bait. Expect the same "you were selected for the [project] airdrop" tag aimed at contributors and stargazers of whatever is hot that week.
• Wallet and infrastructure brands. MetaMask, Phantom, Trust Wallet, WalletConnect, Ledger. A "claim your loyalty airdrop" page wearing a wallet's own brand is especially persuasive to crypto-native developers.
• L2 and DEX tokens with real or rumored airdrops. The same crowd burned by the fake Uniswap Google Ads drainer and the XRP Xaman wallet drainer is the target. Real airdrop speculation gives the fake one cover.
• Beyond GitHub: GitLab issues, npm package READMEs, Discord and Telegram dev channels. Anywhere a developer can be mentioned or a "claim" link can be dropped is fair game. The Telegram admin DM scam is the same idea in a different room.

The defense does not change brand to brand or platform to platform. The message is interchangeable. The structure, a surprise airdrop linking a connect-wallet clone that asks for an approval, is not. That is why a structural defense beats a per-brand block list.

Why browser-side detection beats email and platform filtering alone

GitHub can suspend a malicious account and take down a repo, and it does. But the attacker spins up the next throwaway account in minutes, and the notification that reaches you, the email that says someone mentioned you in an issue, is a real GitHub email about a real event. A spam filter cannot reliably block it without blocking legitimate mentions, because the message itself is genuine GitHub traffic. The malicious part is not the notification. It is the destination.

That destination is the constant. To steal anything, the scam has to land you on a page that impersonates the project and coaxes one signature out of you. That page is where the theft is actually committed, and that page is what a browser-layer scanner inspects directly. When you click the claim link, a browser extension can recognize that the page is a brand impersonation on a free host wired with drainer signals, and warn you before the wallet modal ever appears, regardless of which GitHub account, GitLab issue, or Discord message delivered the link. Platform moderation and the browser layer are complementary, but the browser layer is the one standing at the exact spot where the signature is taken.

How SafeBrowz blocks this threat

SafeBrowz runs a 3-layer detection architecture: Local + APIs + AI.

• Layer 1 - Local detection: 60+ URL patterns + 550+ brand-specific signatures (including Cyrillic and Punycode homograph variants) + community whitelist/blacklist, all running directly in the extension before the page renders. It flags free-hosting subdomains as not-safe-by-default, catches "claim/airdrop" lookalike patterns, and reads connect-wallet plus drainer-signature behavior (the approve, setApprovalForAll, and permit family) as a content-free signal.
• Layer 2 - API checks: aggregates Google Safe Browsing, PhishTank, URLhaus, and ScamAdviser, plus domain-age lookup (drainer clones are typically hours to days old) and 30+ scam TLDs.
• Layer 3 - AI deep scan: content-aware brand-impersonation analysis in 100+ languages catches a brand-new clone of openclaw.ai that no blocklist has seen yet, including the connect-wallet claim variant.

Detection signatures are derived from threat-intelligence research and our internal brand database, not from user browsing data. SafeBrowz does not store per-user browsing history.

For people who do not want to install anything, the same engine powers the free public URL checker. Paste any claim link before you connect a wallet and get a verdict in seconds.

What to do right now

If a GitHub tag (or any message) just told you that you won an airdrop, here is the whole correct response.

1. Do not connect your wallet to claim a surprise airdrop. This is the one rule that ends the attack. A claim that asks you to connect and then sign an approval is a drainer, every time.
2. Verify on the official channel, not the message. Open the project's real site yourself by typing the address, check its verified social account and documentation. If the airdrop is real, the official channel says so. If only a tagged issue knows about your prize, there is no prize.
3. Report the GitHub repo and account. Use the report option on the issue or repository on github.com so the account and content get reviewed and removed. This protects the next developer who gets tagged.
4. Run the link through a scanner first. Paste the claim URL into the checker above or the free public URL checker before you ever open it in a wallet-connected browser.

If you already connected your wallet but signed nothing, you are most likely fine: connecting alone usually only shares your public address. Disconnect the site from your wallet and move on. If you signed or approved anything, treat your wallet as compromised and act fast:

1. Revoke the approval immediately. Go to revoke.cash, connect the affected wallet, and revoke any approval you do not recognize, especially recent setApprovalForAll and Permit2 grants. Revoking cancels the permission the drainer relies on.
2. Move your remaining funds to a fresh wallet. Create a brand-new wallet with a new seed phrase and transfer out anything the drainer has not already taken. Do not keep using the compromised wallet, even after revoking, because other approvals may still exist.
3. Check what moved on a block explorer. Use etherscan.io (or the explorer for your chain) to see exactly which approvals and transfers happened, so you know what was lost and what is still at risk.
4. Report it. File with the FBI's Internet Crime Complaint Center at ic3.gov and with the FTC at reportfraud.ftc.gov, including the wallet addresses, the claim URL, and the GitHub repo link. Report the scam on the project's official channel too, so they can warn their community.

If you exposed your seed phrase rather than just signing a transaction, that is a more severe compromise. Our stolen seed phrase recovery guide covers that worst case in detail, and the wallet drainer guide explains why a revoke alone is not enough once a seed is out.

Frequently asked questions

Is the OpenClaw CLAW token airdrop on GitHub real?

No. Security firm OX Security reported in June 2026 that attackers were tagging developers in GitHub issues claiming they had won roughly $5,000 in CLAW tokens, linking a near-clone of the real OpenClaw site that asks you to connect your wallet. It is a wallet drainer. Real projects do not award tokens by tagging you in a GitHub issue, and a legitimate claim never requires approving a transaction that lets someone move your assets.

I got tagged in a GitHub issue saying I won tokens. What should I do?

Do not click the claim link with a wallet-connected browser, and do not connect your wallet. Verify on the project's official site and verified social channel. If nothing official mentions the airdrop, it is a scam. Report the issue and the account on github.com so it gets removed, and run the link through a scanner before opening it.

Does connecting my wallet to a fake airdrop site steal my crypto?

Connecting alone usually only shares your public wallet address and does not move funds. The theft happens at the next step, when the page asks you to sign or approve a transaction to "claim." That signature can be an approval (approve, setApprovalForAll, or Permit2) that grants the attacker permission to move your tokens or NFTs. If you only connected and signed nothing, disconnect the site. If you signed, revoke the approval at revoke.cash and move funds to a fresh wallet.

What does a malicious connect-wallet signature actually do?

A drainer disguises a dangerous action behind a friendly "claim" button. The common ones are an approve or setApprovalForAll that lets the attacker's contract move your tokens or NFTs, a Permit2 or permit signature that grants the same permission off-chain, or a transaction that directly sends your assets out. Once you approve, an automated drainer sweeps the highest-value assets, often within seconds.

How do I know if a crypto airdrop is legitimate?

Confirm it on the project's official, verified channels by navigating there yourself, never through a link in an unsolicited message. A real airdrop does not arrive as a surprise GitHub tag, does not require you to approve spending permission over your wallet, and is not hosted on a free subdomain like a vercel.app or pages.dev address. If a claim page asks you to sign an approval to receive tokens, it is a drainer.

I already connected my wallet to the fake OpenClaw page. Am I drained?

Not necessarily. If you connected but did not sign or approve anything, your funds are most likely safe; just disconnect the site. If you signed a transaction or approval, treat the wallet as compromised: go to revoke.cash and revoke any approval you do not recognize, move remaining funds to a brand-new wallet with a new seed phrase, check what moved on etherscan.io, and report it at ic3.gov.

Why would attackers target developers on GitHub instead of regular users?

Developers are more likely to hold crypto, run multiple wallets, and trust a GitHub notification by reflex. Tagging someone in an issue is free, reaches a technical audience, and arrives through a platform people trust. OX Security's report describes exactly this: throwaway accounts opening issue threads that tag real developers with a fake token reward.

How do I report the OpenClaw airdrop scam?

Report the repository and the account directly on github.com using the report option on the issue or repo. File a complaint with the FBI's Internet Crime Complaint Center at ic3.gov and with the FTC at reportfraud.ftc.gov, including the wallet addresses, the claim URL, and the GitHub link. Warn the project on its official channel so the real team can alert its community.

Install SafeBrowz free

Add the browser extension that runs every check in this article automatically, on every page, before it renders, so a connect-wallet clone gets flagged before the wallet modal opens. Free forever.

Add to Chrome Add to Firefox Add to Edge