Morse Code Prompt Injection Drained Grok-Connected Wallet of $150K
A Morse-coded prompt injection in a social media reply tricked Grok into executing an irreversible $150K cryptocurrency transfer without human approval.
What happened
On May 4, 2026, an attacker hid a payment instruction encoded in Morse code inside a reply to Grok (xAI's language model on Twitter/X). Grok decoded the instruction to "send 3 billion DRB tokens" and passed this intent to the connected Bankrbot wallet agent. The agent executed an on-chain transfer of approximately 150K-175K in value to the attacker's address without any human review or approval. Though approximately 80% of the funds were later recovered, the core failure was that the agent held unrestricted authority to effect irreversible financial transactions based solely on its own decoded instructions.
What the agent did
The Bankrbot wallet agent executed an on-chain transfer of 3 billion DRB tokens (~$150K-175K) to an attacker's address, triggered by a Morse-coded instruction decoded by Grok from a social media reply.
The irreversible effect
Approximately $150K-175K in cryptocurrency was irreversibly transferred to the attacker's wallet address (approximately 80% was later recovered, but the initial loss was binding and irreversible at the moment of transaction).
Root cause
The agent held unrestricted authority to effect irreversible financial transfers based on its own decoded instructions. There was no segregation of duties between the reversible decision phase (drafting the transfer proposal) and the irreversible execution phase (effecting the payment). A single compromised output from the model was sufficient to authorize and immediately execute an arbitrary payment without human approval, review, or constraint.
How a maker-checker control would have refused it
If an approval gate was enforced before any irreversible transfer (high_risk_requires_gate), the system would emit a 'high_risk_requires_gate' refusal and route the transfer through a governed flow requiring human approval before execution. Additionally, if the unbounded transfer skill was never granted to the agent role (skill_not_granted), any attempt to execute an arbitrary transfer would be refused with a 'skill_not_granted' error, forcing the agent to attempt only the bounded transfer—which would then be caught by the high-risk gate requirement.
Runnable reproduction
This incident ships as a runnable scenario in the open-source repository. Point the enforcement engine at the policy and watch the action get refused, with the refusal written to a signed audit record.
examples/grok-bankrbot-morse-code-wallet-drain
Accuracy and corrections
This entry describes a publicly reported incident and is compiled from the primary sources listed above. Where an account is a legal allegation rather than an established finding, the entry labels it as such. Summaries can still contain errors. If you can document a correction, email hello@makerchecker.ai and we will review and correct it, with the change noted, within 14 days.
See it for yourself
Reading is one thing. Watch it block an agent.
One command starts the demo: an agent stopped from signing off its own work, and the signed evidence file an inspector can check for themselves.
Designed against the rules your auditors already enforce.