Crypto has seen every kind of theft: stolen private keys, phishing sites, smart-contract exploits, bridge hacks. But in May 2026, an attacker pulled off a robbery that fit none of those categories. There was no broken code and no stolen key. The attacker simply asked an AI to translate a message written in Morse code, and the AI, trying to be helpful, sent them roughly $174,000.
The target was a crypto wallet linked to Grok, the AI chatbot built by Elon Musk’s xAI. The wallet was connected through a trading agent called Bankr, which automatically creates a linked crypto wallet for every account it interacts with on X, including Grok’s. Whoever could influence Grok’s activity on X could, in effect, control that wallet. xAI held no keys and no admin access. The connection was purely through Grok’s public posts.
On May 4, an attacker exploited that setup to make Grok issue a financial command it was never meant to give. The result: 3 billion DRB tokens, a memecoin called DebtReliefBot, worth around $174,000 at the time, transferred to the attacker’s wallet on the Base network and immediately sold. It’s a small sum by crypto-heist standards. But the method is what matters, because it demonstrates an entirely new class of attack that will only grow as AI agents gain control over real money.
How the Attack Worked
The exploit unfolded in two clever stages, and understanding both is key to seeing why it succeeded.
The first stage was privilege escalation. Before an attacker can make an AI move money, the AI needs permission to move money in the first place. The attacker handled this by sending Grok’s wallet a “Bankr Club Membership NFT.” Within Bankr’s system, holding that NFT functioned as a permission-granting object, unlocking elevated privileges that let the associated agent bypass standard transfer limits and execute swaps and transfers. In one quiet step, Grok’s wallet went from restricted to fully capable of moving funds.
The second stage was the instruction injection, and this is the part that reads like a magic trick. The attacker posted a public reply to Grok on X asking it to translate a message written in Morse code, those familiar dots and dashes. To Grok’s safety systems, this looked completely harmless. It was just a translation request, exactly the kind of helpful task the AI was built for. So Grok dutifully decoded it.
Hidden inside the Morse code was a command: send 3 billion DRB tokens to a specific wallet address. Once decoded, Grok’s output was a clear, executable instruction, and it tagged the Bankr bot in its reply. Bankr received the instruction, treated it as a legitimate command from an authorized agent with the right permissions, and executed the transfer within seconds. No human confirmation. No secondary check. No circuit breaker flagged a $174,000 transaction that had originated from a translated puzzle.
The attacker then rapidly swapped the tokens into other cryptocurrencies and deleted their X account within minutes.
Why This Isn’t Really a “Hack”
It’s tempting to call this a hack, but doing so misses the point and the danger.
No password was cracked. No private key was leaked. No vulnerability in a smart contract was exploited. Every individual step was a valid, permitted action. The NFT transfer was legitimate. The translation was a normal function. The transfer command was properly authenticated according to the system’s own rules. The system worked exactly as designed. The problem was that its design trusted the AI’s output too completely.
Security researchers classify this as a combination of two weaknesses. The first is “prompt injection,” where an attacker hides malicious instructions inside otherwise innocent-looking input to manipulate what an AI does. Encoding the command in Morse code was the crucial trick: it acted as a stealth mechanism, slipping the malicious instruction past the linguistic and contextual safety checks that might have caught a plain-English command to “send all the money.” AI systems are very good at decoding Morse code, Base64, and similar formats, but their safety filters often fail to recognize a command hidden inside encoded text.
The second weakness is “excessive agency,” giving an AI system more power to act than it can safely handle. The root failure, as blockchain security firm SlowMist noted, was the loose coupling between Grok’s natural-language output and Bankr’s real asset-execution layer. Bankr mapped Grok’s words directly into financial transactions without adequately verifying the source, intent, or unusual nature of the command. As one observer put it, the AI didn’t even own the keys; Bankr decided what Grok’s text meant, and an AI can’t defensively word every reply to guard against injection.
The Twist: The Money Came Back
In an unusual turn, this story had a relatively happy ending. After the tokens were dumped and the price briefly crashed nearly 40%, roughly 80% of the stolen value was returned to Grok’s wallet, reconverted into ETH and USDC, following community tracking and negotiation with the Bankr team. The remaining portion was treated as an informal bug bounty. Grok itself later acknowledged the episode on X, calling it “a classic reminder on AI agent security risks” and noting there was no net loss overall.
Bankr moved quickly to add protections. Notably, an earlier version of its agent had specifically blocked replies from Grok to prevent exactly this kind of AI-manipulating-AI injection chain, but that safeguard had been dropped during a system rewrite. A stricter block was reinstated after the incident, along with additional restrictions. The fix was straightforward once the flaw was understood. The concern is how many similar systems haven’t yet learned the lesson.
Why It Matters
This incident is a preview of a threat category that barely existed a year ago and is about to become far more significant.
Throughout 2026, the crypto world has been racing to build “agentic commerce,” AI agents with their own wallets that can transact autonomously, from paying for services to executing trades. Major institutions from SWIFT to Circle are building infrastructure for exactly this future. The Grok-Bankr heist shows the flip side: the moment an AI can trigger a wallet action, every message it processes becomes part of the security model. An attacker no longer needs to breach your systems. They just need to talk to your AI in a way it will faithfully, and catastrophically, obey.
The defenses aren’t mysterious, which is almost the frustrating part. Security researchers point to obvious safeguards: require human confirmation for high-value or irreversible transactions, enforce strict per-transaction limits, treat any decoded or translated content as untrusted before acting on it, and maintain hard boundaries between what an AI says and what a system does in response. These are the same “least privilege” principles that have protected traditional software for decades, now applied to AI.
The broader message is that AI agents cannot yet reliably distinguish between a casual conversation, a helpful request, and a genuine financial command. Until they can, or until the systems around them enforce that distinction, connecting a chatbot to a funded wallet is an open invitation. This time it was $174,000 in a memecoin, and most of it came back. As AI agents take on real money at real scale, the next version of this trick may not end so gently.
FAQ
How did the attacker steal the money?
The attack had two stages. First, the attacker sent a “Bankr Club Membership NFT” to Grok’s linked crypto wallet, which unlocked elevated permissions allowing transfers and swaps. Second, the attacker posted a reply asking Grok to translate a Morse code message on X. Hidden inside the code was a command to send 3 billion DRB tokens to the attacker’s wallet. Grok decoded it, tagged the Bankr bot, and Bankr executed the transfer automatically, around $174,000, with no human confirmation. No private key was stolen and no code was hacked.
Why did encoding the command in Morse code work?
The Morse code acted as a stealth mechanism to bypass safety filters. AI systems like Grok are very good at decoding Morse code, Base64, and similar formats, but their safety layers often fail to recognize a malicious command hidden inside encoded text. To Grok, the request looked like a harmless translation task rather than a financial instruction. Once decoded into plain English, the output appeared legitimate to the downstream Bankr system, which executed it. This is called “prompt injection.”
Was the money recovered?
Mostly, yes. After the attacker dumped the tokens and briefly crashed DRB’s price, roughly 80% of the stolen value was returned to Grok’s wallet following community tracking and negotiation with the Bankr team. The remainder was treated as an informal bug bounty. Grok acknowledged the incident publicly as a reminder of AI agent security risks, with no net loss overall. Bankr reinstated a safeguard blocking Grok replies (which had been removed in an earlier rewrite) and added stricter transaction controls.
Disclaimer: This article is for informational purposes only and does not constitute financial or security advice. Cryptocurrency investments carry significant risk. Always conduct your own research before making any investment decisions.


















