Tagging @grok in an X post plus a few dots and dashes was all that was needed last night for a bad actor to pickpocket a verified crypto wallet without ever touching the private keys.
Agentic token launchpad, Bankrbot reported on May 4 that it had sent 3 billion DRB on Base to the recipient.
The funds came from a wallet assigned to X's AI, Grok, and were sent to an unauthorized wallet owned by a bad actor. This Base transaction shows the on-chain transfer path behind the post.
CryptoSlate's review of X posts around the incident points to a reported command path that began with Morse-code obfuscation. Grok decoded the text into a clean public instruction tagging @bankrbot and asking it to send the tokens, while Bankrbot handled the command as executable.
The exposed layer was the handoff from language to authority. A model that decodes a puzzle, writes a helpful reply, or reformats a user's text can become part of a payment rail when another agent treats that output as valid.
The $20 million Radiant heist emphasises a meticulous laundering approach
For crypto investors, this transfer should turn AI-agent risk from an abstract security debate into a wallet-control problem. A public command can become spend authority when one system treats model output as an instruction and another system has permission to move tokens.
Wallet permissions, parser, social trigger, and execution policy become layers of attack vectors.
Posts and transaction context reviewed by CryptoSlate put the DRB transfer at roughly $155,000 to $200,000 at the time, with DebtReliefBot price data providing market context for the token.
Reports reviewed by CryptoSlate also say most funds are being returned, and some DRB is reportedly retained as an informal bug bounty. That outcome reduced the loss, but it also showed how much the recovery depended on post-transaction coordination rather than pre-transaction limits.
Bankr developer 0xDeployer said 80% of the funds had been returned, while the remaining 20% would be discussed with the DRB community. That confirmed the partial recovery while leaving the final treatment of the retained funds unresolved.
0xDeployer also said Bankr automatically provisions an X wallet for every account that interacts with the platform, including Grok. According to the post, that wallet is controlled by whoever controls the X account rather than by Bankr or xAI staff.
How public text became spend authority
The reported path had four steps. First, the attacker identified a Bankr Club Membership NFT in a Grok-associated wallet before the incident.
CryptoSlate's review indicates that it expanded the wallet's transfer privileges inside the Bankr environment. The Bankr access page describes membership and access mechanics today, placing the NFT claim in the broader permission layer rather than making it the whole explanation.
Second, the attacker posted a message on X containing Morse code, with additional noisy formatting. Posts around the incident described a Morse-code prompt injection, while the now-deleted prompt was unavailable for us to review directly.
San Francisco cryptocurrency theft: individual disguised as a delivery worker absconds with $11 million during a home invasion close to Mission Dolores
The reported vector was Morse code with possible array or concatenation tricks mixed in.
Third, Grok's public response reportedly translated the obfuscated text into plain English and included the @bankrbot tag. In that account, Grok functioned as a helpful decoder.
The risk appeared after the text left Grok and entered a bot interface that watched public output for formatted commands.
Fourth, Bankrbot treated the public command as executable and broadcast a token transfer. Bankr and Base describe an agent wallet surface that can use wallet functionality for transfers, swaps, gas sponsorship, and token launches, while natural-language token sends fit directly into that product surface.
Bankr's broader onchain AI assistant documentation shows why the boundary between chat instructions and transaction authority needs explicit policy.
Crime & Courts Correspondent
Read more similar news:
Comments:
comments powered by Disqus
