--- title: "OpenClaw Wallet Exploit: Anatomy of a GitHub Airdrop Phishing Attack" date: 2026-03-18T12:00:00.000Z description: "A fake OpenClaw airdrop campaign targets GitHub contributors with a cloned homepage and obfuscated wallet-draining JavaScript. Here's how the attack works and what the malware does." tags: ["security", "crypto", "web3", "phishing", "malware-analysis", "wallet-drainer", "open-source"] tokens: 2064 content-signal: search=yes, ai-input=yes, ai-train=no --- ![Purpose-built hero image for the OpenClaw wallet exploit article, showing the fake airdrop site, a malicious Connect Wallet prompt, and wallet-drainer threat indicators](/images/posts/openclaw-crypto-wallet-exploit/openclaw-wallet-exploit-hero.png) ## TL;DR - Attackers impersonate **OpenClaw** via GitHub Discussion emails, offering 5,000 $CLAW tokens to "verified contributors" - The link directs to **token-claw.xyz**, a pixel-perfect clone of the real OpenClaw homepage - Clicking "Connect Wallet" loads a **10 MB obfuscated JavaScript file** (`eleven.js`) containing wallet-draining malware - The script bundles ethers.js with malicious `approve`, `permit`, and `eth_sign` calls to **silently drain tokens** - Anti-debugging techniques — `debugger` traps, console hijacking, and `setInterval` loops — prevent inspection in Chrome DevTools --- ## The Bait: A GitHub Discussion You Didn't Ask For It starts with a GitHub notification that looks entirely legitimate. A bot account named **ClawsBot-34236** posts a Discussion in `giganodefinish/ClawChain-0499856`, tagging dozens of real GitHub usernames: ![Phishing email from ClawsBot-34236 announcing a 5,000 $CLAW token distribution to GitHub contributors](/images/posts/openclaw-crypto-wallet-exploit/phishing-email.png) The message hits all the right notes for a social engineering attack: - **Urgency**: "Allocation: 5000 $CLAW" — a specific, enticing number - **Authority**: "We evaluated profiles and shortlisted developers to access OpenClaw distribution" - **Pre-approval**: "Wallets are already pre-approved" — reducing friction to act - **Credibility**: Lists 30+ real GitHub usernames as "Verified Contributors" to create social proof The call-to-action links to a Google Sheets URL, which redirects to the attack domain. --- ## The Trap: A Cloned Homepage The redirect lands on **token-claw.xyz** — a near-perfect replica of the real OpenClaw website. Same logo, same tagline ("THE AI THAT ACTUALLY DOES THINGS"), same testimonials carousel, same color scheme (see the hero image at the top of this article). The only meaningful addition is a prominent **"Connect Wallet"** button with a "NEW" badge, positioned as the primary action. Everything else exists to build trust. Clicking that button opens a standard WalletConnect modal listing MetaMask, Trust Wallet, OKX Wallet, and Bybit Wallet — all real wallet providers, rendered using real WalletConnect SDKs: ![Connect Wallet dialog showing WalletConnect, MetaMask, Trust Wallet, OKX Wallet, and Bybit Wallet options](/images/posts/openclaw-crypto-wallet-exploit/connect-wallet-dialog.jpeg) This is where the malware takes over. --- ## The Payload: Deconstructing `eleven.js` Once a wallet connects, the page loads `eleven.js` — a **10.4 MB, 11,859-line** obfuscated JavaScript file. Rather than trying to read it manually (which is exactly what the attacker designed against), I analyzed it programmatically. ### File Profile | Metric | Value | |--------|-------| | File size | 10,457 KB | | Lines of code | 11,859 | | Hex literals | 383,666 | | Obfuscated variable prefixes (`a0*`) | 84 unique | | Switch statements (control flow flattening) | 215 | | Encoding functions (atob, btoa, escape, etc.) | 41 | ### Obfuscation Stack The script uses **JavaScript Obfuscator** with aggressive settings. Four layers of obfuscation make manual analysis impractical: **1. String Array with Rotation** All meaningful strings are extracted into a massive array function (`a0f`) containing thousands of encoded fragments. A decoder function (`a0g`) maps hex offsets to array indices: ```javascript function a0g(a, b) { const c = a0f(); a0g = function(d, e) { d = d - 0xb7; return c[d]; }; return a0g(a, b); } ``` An IIFE then rotates the array at startup, meaning static analysis of the array contents yields gibberish without executing the rotation first. **2. Control Flow Flattening** With 215 switch statements, the script's logical flow is shattered into state machines. Instead of sequential `if/else` blocks, each function's logic is scattered across switch cases that execute in a non-obvious order — determined at runtime by obfuscated state variables. **3. Hex-Encoded Property Access** Every property access and method call is routed through the decoder. Instead of `window.ethereum`, the code reads something like: ```javascript k[a2M(0x35c2a) + '...'] ``` With 383,666 hex literals in the file, reverse-engineering any single function requires decoding hundreds of lookups. **4. Self-Defending Code** The script includes self-defending patterns that detect tampering. If the code's `toString()` representation changes (from beautifying or editing), it alters its behavior — crashing or producing wrong results instead of executing the real payload. ### Anti-Debugging Arsenal The script actively fights inspection: | Technique | Count | Purpose | |-----------|-------|---------| | `debugger` statements | 5 | Pauses execution when DevTools is open | | `setInterval` calls | 4 | Continuous debugger-detection loops | | `console[...]` bracket access | 125 | Hijacks/overrides console methods | | `Function()` constructor | 2 | Dynamic code generation to evade static analysis | The `setInterval`-based debugger detection is particularly nasty — it runs on a timer, repeatedly checking whether DevTools is open by measuring execution time of `debugger` statements. If detection triggers, the script either halts or enters a decoy path. The 125 console bracket accesses suggest the script **overwrites** `console.log`, `console.warn`, and `console.error` with no-ops or redirects, preventing developers from logging what the script does even if they manage to inject monitoring code. ### The Wallet Drainer Here's what the malware is actually built to do. Pattern analysis reveals a comprehensive Web3 attack toolkit: | Pattern | References | Attack Vector | |---------|-----------|---------------| | `wallet` | 356 | Wallet detection and connection | | `connect` | 292 | Automated wallet connection | | `token` | 295 | Token enumeration and targeting | | `chain` | 496 | Multi-chain support | | `network` | 317 | Network switching | | `RPC` | 263 | Direct RPC calls to bypass wallet UI | | `sign` | 174 | Transaction signing | | `transaction` | 145 | Transaction crafting | | `provider` | 124 | Provider injection/hijacking | | `contract` | 75 | Smart contract interaction | | `balance` | 62 | Balance checking | | `abi` | 255 | ABI encoding for contract calls | | `approve` | 22 | Token approval (unlimited spend) | | `permit` | 9 | Gasless approval via EIP-2612 | | `eth_sign` | 4 | Raw message signing | | `WalletConnect` | 9 | WalletConnect protocol | | `MetaMask` | 4 | MetaMask-specific targeting | | `ERC20` | 3 | ERC-20 token standard | | `allowance` | 5 | Approval state checking | | `WebSocket` | 6 | Persistent connections | The decoded string fragments tell the story even more clearly. The code contains references to: - `EIP712Domain`, `verifyingContract`, `signature` — **EIP-712 typed data signing**, used to trick wallets into signing what appears to be a benign message but is actually a token approval - `SigningKey`, `computePublicKey`, `recoverPublicKey` — Key manipulation functions from ethers.js - `defaultAbiCoder`, `TransactionDescription`, `errorSignature` — Full ABI encoding stack for crafting arbitrary contract calls - `getContractAddress`, `stateMutability` — Contract introspection to dynamically target tokens ### Attack Sequence (Reconstructed) Based on the reference patterns, the likely attack flow is: 1. **Connect**: Wallet connects via WalletConnect or MetaMask injection (292 `connect` + 9 `WalletConnect` refs) 2. **Enumerate**: Script queries balances across multiple chains (62 `balance` + 496 `chain` refs) 3. **Approve**: Requests unlimited token approvals via `approve` or gasless `permit` signatures (22 + 9 refs) 4. **Sign**: Uses `eth_sign` or EIP-712 typed data to get the victim to authorize transfers that look like harmless interactions (174 `sign` + 4 `eth_sign` refs) 5. **Drain**: Executes `transferFrom` on approved tokens to the attacker's address (145 `transaction` refs) The `permit` pattern (9 references) is especially dangerous — it allows gasless approvals via EIP-2612, meaning the victim pays no gas for the approval transaction and may not even see a transaction in their wallet history. --- ## Red Flags That Should Have Stopped You If you received this email, here's what should have raised alarms: 1. **The domain**: `token-claw.xyz` is not an official OpenClaw domain 2. **The Discussion repo**: `giganodefinish/ClawChain-0499856` is a throwaway repository with no real code 3. **Google Sheets redirect**: Legitimate token distributions don't route through Google Sheets 4. **"Wallets are already pre-approved"**: No legitimate airdrop pre-approves wallets — this phrase exists purely to reduce skepticism 5. **Mass @-mentions**: Tagging 30+ users in a single Discussion is a shotgun approach, not a targeted distribution 6. **The script size**: A 10 MB JavaScript file for a "Connect Wallet" button is absurd — legitimate dApps load 100-500 KB --- ## How to Protect Yourself **If you connected your wallet:** - **Immediately** revoke all token approvals using [Revoke.cash](https://revoke.cash) or [Etherscan Token Approval Checker](https://etherscan.io/tokenapprovalchecker) - Move remaining funds to a new wallet — the compromised wallet's private key was not exposed, but any signed approvals remain active - Check transaction history for unauthorized `approve` or `permit` calls **Going forward:** - Never connect your wallet to a site from an unsolicited email or GitHub notification - Verify domains independently — type them manually or use official bookmarks - Use a dedicated burner wallet for testing new dApps - Install browser extensions like [Wallet Guard](https://www.walletguard.app/) that warn about known phishing domains - If an airdrop sounds too good to be true, it is --- ## The Bigger Pattern This attack exploits a specific trust chain: GitHub notifications carry implicit authority for developers. We trust them because they come from our professional platform. Attackers weaponize that trust by creating Discussions in obscure repos, tagging real users, and riding GitHub's own email infrastructure to deliver phishing links. The obfuscation level of `eleven.js` — 383,666 hex literals, 215 switch statements, anti-debugger traps — shows this is not amateur work. This is a **professional wallet drainer toolkit** repackaged with an OpenClaw-themed frontend. The Web3 security community has tracked similar drainers across hundreds of phishing campaigns. The defense is boring but effective: verify domains, use burner wallets, and never let urgency override caution. A free airdrop that requires your wallet approval is never free.