An attacker drained approximately 3 billion DRB tokens worth $150,000 to $174,000 from Grok's official Base-chain wallet on May 4 by gifting the AI agent a membership NFT that unlocked financial tool access, then embedding a transfer instruction in disguised Morse code that Grok decoded and executed, in what is now the second successful prompt injection attack against the same wallet in fourteen months.
The mechanics of this attack are specific and worth understanding precisely because they illustrate something most AI product teams are not building for. Grok maintains an active wallet on the Base blockchain. The wallet holds tokens that users and projects deposit as part of various social finance experiments running on X. Bankrbot, a platform that enables AI agents to execute on-chain transactions through a tool-calling interface, had previously blocked all direct requests from Grok after a March 2025 exploit drained roughly $330,000 in tokens from the same wallet. That restriction was the safety measure. The attacker found the gap in it: Bankrbot Club membership NFTs grant their holders direct access to the tool-calling suite, including swap and transfer capabilities. The attacker gifted one of those NFTs to Grok's wallet. Because the NFT sat in Grok's wallet, Grok now had a different path to the same tools that the direct-request restriction was designed to block. The prior safeguard was bypassed not by breaking it but by going around it.
The prompt itself was elegant in a deeply unwelcome way. The attacker used Python-style string concatenation to obscure the instruction, assembling characters that resolved to a simple command: send 3 billion DRB to a specified address. Grok decoded the Morse code embedded in the instruction, interpreted it as a valid request from within its operating context, and executed the transfer. On-chain records show the tokens moved from Grok's wallet to address 0xe8e4...686b at approximately 06:49 UTC, then immediately to a second address. The attacker had prepared receiving wallets in advance, and their transaction history included deployment of anti-Bankrbot tokens, suggesting the attack was targeted rather than opportunistic. Bankrbot published a technical breakdown within hours confirming both the prompt injection vector and the membership bypass mechanism. xAI and Grok have not, as of publication, acknowledged the incident or described remediation steps.
This is the second time the same attack surface has been successfully exploited. That fact deserves more attention than the dollar amount involved. After the March 2025 attack, the direct-request restriction was added as a specific countermeasure. Fourteen months later, an attacker found a one-hop bypass using the existing NFT permissions system. The response to the first attack created a new attack surface by failing to consider how the tool-calling architecture could be reconstituted through indirect means. This is a known pattern in security engineering, where patching one vector without auditing the full permission graph leaves adjacent paths open. It is a difficult pattern to close in static software. In systems where an AI agent interprets natural language instructions from an open environment, evaluates context dynamically, and executes actions against financial infrastructure, the attack surface is not fixed. It evolves with every new feature, every new tool integration, and every new way users and attackers find to interact with the system.
The prompt injection problem is not new in AI security research. It has been documented for large language models since early demonstrations showed that embedding instructions in documents, images, or external data sources could override system prompts and redirect model behaviour. What makes the Grok wallet case more serious than a typical jailbreak is what the model can do when it follows the injected instruction. A model that can be prompted to produce offensive text is an embarrassment to its operator. A model that can be prompted to execute a $174,000 transfer is a financial incident. The severity of prompt injection as a security category scales directly with the authority the model has been granted. Giving an AI agent access to wallet tools, API keys, payment rails, or any form of real-world execution capability without hardening the instruction pipeline against injection is not a calculated risk. It is an oversight that attackers will find.
The broader pattern across crypto and AI product development is where this story becomes a concern beyond the specific incident. Projects are shipping AI-integrated features at a pace that consistently outstrips the security and permissioning infrastructure required to make those features safe at scale. The Grok wallet exists as part of a social finance ecosystem on X that evolved organically from AI agent experiments, not from a designed financial product specification with security review at every layer. Bankrbot's tool-calling suite was built for an environment where AI agents with wallet access were a novel capability, not an obvious attack target. The NFT membership system that created the bypass was presumably designed for access control in a different threat model. No single design decision in this stack was obviously wrong in isolation. Together, they created conditions where a Morse code message in a social media post could move $174,000.
The community recovery of most of the drained funds, reported in some posts about the incident, should not be taken as evidence that the system worked. It is evidence that the community responded after the failure. Recovery of assets in on-chain exploits depends on the attacker making identifiable errors, the assets not yet being bridged to a different chain or mixed through a tumbler, and community coordination happening faster than the attacker's extraction timeline. None of those conditions are guaranteed. In a more sophisticated attack against a higher-value target, they would not hold. The Grok wallet incident is a demonstration of a vulnerability class, not a proof that AI agent security is adequate because funds were eventually returned. The same attack technique against a more valuable wallet, a faster attacker, and assets routed through a mixer would have a different conclusion. The lesson is in the mechanism, not the outcome.
Also read: Anthropic Is Handing Wall Street the Keys to Its Enterprise Distribution and That Changes the AI Services Landscape • Japan's $2,000 cardboard drones are not a novelty and the defense startup implications are more serious than the material suggests • The Harvard emergency room AI study is most useful not as proof that machines outdiagnose doctors but as a map of where clinical AI products should actually be built
