How Grok got prompt-injected: an X user drained $150,000 from an AI wallet

In May 2026, an X user managed to get $150,000 in DRB tokens from an AI-integrated wallet system by sending an encoded message in Morse code.

The incident involving Grok AI and the Bankr trading bot present two security failures: Prompt Injection (OWASP LLM01:2025) via encoding and Excessive Agency (OWASP LLM06:2025). By using obfuscated input to bypass traditional safety filters, the attacker was able to command the AI to execute financial transactions without oversight.

In this article, we’ll break down the mechanics of this heist, and show how to prevent these incidents with red-teaming.

How obfuscation bypassed Grok’s safety

The target of the attack was Grok's auto-provisioned Bankr wallet. Bankr is a crypto trading agent on X (formerly Twitter) that automatically creates a linked crypto wallet for every X account it interacts with, including Grok's. xAI held no admin keys; whoever could influence Grok's X activity effectively controlled the wallet.

The attacker executed the exploit in three steps:

1. Permission escalation via NFT

The attacker first sent a "Bankr Club Membership NFT" to the wallet controlled by Grok. In the Bankr ecosystem, this NFT functioned as a permission-granting object. By holding it, the Grok agent gained "Executive" permissions, allowing it to bypass standard transfer limits and swap restrictions.

2. Prompt injection via Morse code

The attacker then posted a reply to Grok on X, asking it to translate a Morse code message. The decoded message was a financial instruction: send 3 billion DRB tokens to a specific wallet address. To Grok’s safety layer, the input looked like harmless, and it translated it faithfully. Bankrbot received the decoded output and treated it as a valid, authenticated command.

3. Execution (Excessive Agency)

The agent connected directly to a blockchain wallet via Bankrbot executed the decoded instruction.

The direct financial damage was of 3 billion DRB tokens, worth $150,000–$174,000 at the time, transferred and immediately liquidated. The sale triggered short-term price volatility for DRB holders.

About 80% of the funds were eventually returned, but only after the DRB community tracked down the attacker's real identity.

Preventing Prompt injection and Excessive agency in agentic AI

Any agentic AI with real-world tool access can face similar threats: A finance chatbot connected to core banking APIs, a healthcare assistant that can update patient records, or a manufacturing operations AI with system command access.

Preventing this class of attack requires systematic, proactive security testing:

• Test for encoding-based prompt injection: Giskard's LLM vulnerability scanner includes an Encoding probe that specifically checks whether your agent can be manipulated through encoded inputs (base64, NATO phonetic, and equivalent obfuscation techniques).

• Test for excessive agency and unauthorized function execution: Giskard's Excessive Agency probes systematically tests whether your AI agent can be pushed into executing actions beyond its intended scope. The Broken Function Level Authorization probe directly maps to the NFT-based privilege escalation in this attack, as it checks whether your agent enforces proper access controls over its own capabilities.
• Enforce least-privilege at the architecture level: Add Human-in-the-loop confirmation for high-value irreversible actions, per-transaction limits, and capability sandboxing.
• Distrust decoded content by default: Any text that passes through a translation or decoding layer should be treated as potentially injected before being forwarded to any action-capable component.

Conclusion

The Grok-Bankr heist combines a privilege-escalation with a Morse code-encoded prompt injection, that allowed an attacker to bypass safety filters and to drain a crypto treasury.

As autonomous agents gain tool access  (executing transactions, querying databases, calling external APIs…) the attack surface grows with their capabilities. While autonomous agents offer unparalleled efficiency, they also introduce a new attack surface.

Securing agentic AI requires three things working in parallel: systematic adversarial testing before deployment, continuous red teaming as the codebase evolves, and Human-in-the-loop (HITL) for confirmation on sensitive actions.

If your organization is currently building autonomous agents, especially in high-stakes sectors like finance, healthcare, or retail, reach out to the Giskard team for a deep dive into your agent's security.