Grok was reportedly manipulated into triggering a crypto transfer worth about $200,000 after an X user hid transaction instructions inside a Morse code message, exposing new risks around AI tools linked to automated wallets.
Hidden command passed as translation
According to Dexerto, the incident involved Grok and Bankrbot, an automated crypto assistant that can process wallet-related commands through X.
The attacker, using a now-deleted account, allegedly first sent a Bankr Club Membership NFT to Grok’s wallet, expanding its access to Bankrbot features and helping enable transaction activity.
The next step appeared harmless, with Grok asked to translate a Morse code message and send the result to Bankrbot. The decoded text reportedly contained a command to transfer 3 billion DRB tokens to a wallet on the Base blockchain.
Since the malicious instruction was disguised as a translation request, the system appears to have treated the decoded text as a valid command rather than a threat.
Bankrbot later posted that it had sent 3 billion DRB tokens worth roughly $200,000, listing the recipient address, transaction hash and Base as the blockchain used for the transfer.
The attacker then moved quickly, selling the received DRB tokens and adding short-term pressure to the token’s market price.
Prompt injection meets real money
The case has drawn wide attention as it shows how prompt injection, long discussed as a theoretical AI security risk, can become more dangerous when chatbots are connected to financial infrastructure.
In this instance, the issue was not simply that Grok could decode Morse code, but that the decoded message could reach a transaction system with enough access to move funds, turning a hidden text command into an on-chain transfer.
When AI access turns into real threat
The Grok incident adds to growing concerns that AI agents can cause irreversible damage when they are connected to systems with real authority and weak safeguards.
In April 2026, PocketOS founder Jer Crane said an AI coding agent running through Cursor and powered by Claude deleted the company’s production database and backups in a single Railway API call.
A similar warning came in July 2025, when SaaStr founder Jason Lemkin said Replit’s AI agent deleted a live production database during a code freeze, despite instructions not to make changes without approval.
Both cases point to the same risk behind the Grok transfer. AI tools are no longer just answering questions, they are being tied to wallets, databases and infrastructure, where one mistaken or manipulated command can trigger real-world damage.
Platforms that connect AI tools to wallets, databases, cloud services and other critical systems should separate chat functions from high-risk actions and require independent approval before funds, data or infrastructure can be changed.



