How AI Was Tricked Into Stealing $150,000 From Grok Wallet

Grok’s auto-provisioned Bankr wallet was drained of roughly $150,000 in DRB tokens after an attacker used a gifted Non-Fungible Token (NFT) and a coded reply to push the artificial intelligence (AI) into authorizing the transfer.

Bankr founder 0xDeployer said the wallet had no admin at xAI and was controlled entirely through Grok’s X account. About 80% of the funds have since been returned to Bankr.

Grok Wallet Drained of $150,000 in Bankr Prompt Injection Attack

The attacker, working through the address ilhamrafli.base.eth, gifted the Grok wallet a Bankr Club Membership token that activated the agent’s full transfer capabilities. A crafted reply, later deleted, then instructed Grok to authorize a large outbound transaction.

Bankr signed and broadcast the transfer of three billion DRB tokens, valued near $174,000 at the time, to the attacker’s address.

“Every X account that interacts with Bankr gets auto-provisioned a wallet, and is no exception. The wallet is tied to grok’s x account, so whoever controls that account controls the wallet. Bankr doesn’t custody it or hold keys. The recent DRB incident happened because a prompt-injection exploit got grok to issue a transfer instruction to Bankr,” the team explained in a post.

The funds were quickly bridged to a second wallet and sold, and the attacker’s X (Twitter) profile was deleted within minutes of the transaction.

The exploit relied on social engineering rather than a smart contract flaw. Researchers tracking similar agent risks have flagged hidden instructions in Morse code, base64 encoding, and game-style framing as common bypass techniques.

Bankr Response and DRB Pushback

0xDeployer said an earlier version of Bankr’s agent blocked replies from Grok to prevent LLM-on-LLM injection chains. However, the safeguard was dropped during a full rewrite. A stricter block has now been reinstated.

The DRB Task Force disputed Bankr’s framing, saying the attacker only offered to return 80% after the community obtained his personal details.

The group called the case outright theft, and discussion of the remaining 20% is ongoing within the DRB community.

Bankr has rolled out optional Internet Protocol (IP) whitelisting, permissioned Application Programming Interface (API) keys, and a per-account toggle that disables actions triggered by X replies.

The case adds to a wider debate over how autonomous agents holding real funds should be secured, after a recent a16z-backed study found AI agents could escape sandbox controls under pressure.