Cybersecurity firms have issued warnings about two separate but sophisticated phishing campaigns targeting users of popular crypto-related platforms, Pudgy Penguins and OpenClaw. The attacks aim to steal cryptocurrency wallet passwords and drain funds by impersonating legitimate services.
Malwarebytes Labs reported on Tuesday that a fake website, pudgypengu-gamegifts[.]live, is impersonating the newly launched Pudgy World browser game. The phishing site uses highly convincing replicas of crypto wallet interfaces to deceive users. "When a visitor selects their wallet on this fake site, it shows what appears to be that wallet’s own unlock screen. To the user, it looks for all the world like the real crypto wallet software they already trust," explained Stefan Dasic, senior malware research engineer at Malwarebytes.
The campaign is timed to coincide with the launch of Pudgy World on March 10, 2026, capitalizing on an influx of new users. Dasic noted the attack is comprehensive, targeting users of Ethereum, Solana, and multi-chain wallets with 11 different wallet-specific forgeries. This suggests a "well-resourced threat actor" or the use of a commercial phishing kit.
Separately, security platform OX Security detailed an active phishing campaign targeting developers of the AI agent framework OpenClaw. Attackers created fake GitHub accounts last week, opening issue threads and tagging developers. The scam claims recipients have won $5,000 worth of $CLAW tokens and directs them to a cloned version of the official openclaw.ai site, which includes a malicious "Connect your wallet" button.
OX Security's analysis found the wallet-stealing code buried inside a heavily obfuscated JavaScript file called "eleven.js." The malware includes a "nuke" function to wipe forensic data and relays encoded user data—including wallet addresses and transaction details—to a command-and-control (C2) server. Researchers identified one crypto wallet address believed to belong to the threat actor: 0x6981E9EA7023a8407E4B08ad97f186A5CBDaFCf5.
These incidents highlight the persistent threat of phishing in the crypto space. According to the FBI’s Internet Crime Complaint Center (IC3), phishing and spoofing scams accounted for 193,407 complaints in 2024, with reported losses exceeding $70 million. Both security firms advise users to access official sites only through trusted bookmarks, avoid clicking links from unsolicited messages, and immediately revoke wallet approvals if they suspect compromise.
