A man who is a common user on social media successfully defrauded an AI out of a large sum of money via an unusual digital heist. He took advantage of the link between the Grok chatbot system that uses conversation with a bot and an automated crypto trading system (a.k.a. a trading robot) to extract around $200k in crypto assets. The method he used was not sophisticated computer hacking techniques, but rather a digital membership card and a short message in Morse code, exposing a fundamental security flaw in the quickly expanding world of investment agents who act autonomously.
The Autonomous Agents Involved
The incident was based on two AI programs interacting on the X platform; on the one hand, Grok is a conversational assistant known for its lack of censorship. On the other hand, Bankrbot is a financial tool that automatically performs wallet actions, including executing cryptocurrency trades for users on the Base network.
Earlier in the Year they came together and started creating a Token has been formed called Debt Relief Bot (DRB). When users began to trade DRB, transaction fees automatically accrued into a digital wallet associated with Grok, which resulted in an unattended treasury of three billion DRB.
A Clever Privilege Escalation
To perpetrate this heist, the attacker (who utilized the now-defunct username ‘@Ilhamrfliansyh’) had to first gain access to Grok’s built-in safeguards against initiating an unauthorized financial transfer. They gained access to those safeguards through a targeted method of privilege escalation. The user sent a specialized Bankr Club Membership non-fungible token (NFT) directly into Grok’s digital wallet. This was an innocuous gift but inadvertently gave Grok’s digital wallet an upgrade from low to high status, thus secretly unlocking Bankrbot’s high-level toolset and granting the AI all permissions needed to complete restricted asset swaps or perform large financial transfers.
The Morse Code Prompt Injection
Once the attacker had access to the digital doors opened, he moved into implementation of the last phase of the exploit. Since transferring funds by using a direct command would likely have matched a basic security filter, he sent a prompt to Grok that was written in Morse Code. As Grok is intended to function, it decoded the covert message into a readable form and posted both the translated plaintext instructions to its feed, while tagging Bankrbot. The trading bot is designed to trust Grok’s conversational outputs as valid administrative commands; therefore it executed the instructions without hesitation by transferring its entire COM token balance into the attacker’s own personal wallet.
The Immediate Market Fallout
The rapid and extreme financial impact of the artificial intelligence’s data breach began immediately after the successful completion of the transaction on Base. As soon as the transaction cleared and the attacker received the assets they had stolen (newly-acquired DRB tokens), they immediately went to the public market to dispose of them as quickly as possible by selling all of the stolen tokens for cryptocurrencies with high liquidity (Ethereum, USD Coin, etc.). Because of the amount of tokens being sold at once, there was a significant decrease in the price of DRB tokens and caused the price to fluctuate significantly and sharply in a very short period of time resulting in panic for everyday retail investors.
Security Lessons for the AI Era
A total loss from the incident did not occur. The attacker returned more than thirty percent after significant community pressure and a private negotiation. For the unexplained funds that were not returned to the users of the chatbot, the amount will be treated informally as a white-hat bug bounty to the attacker. However, this serves as a wake up call to the technology sector as a whole. Security experts have pointed out, while the chatbot was exploited by an inventive prompt injection, the actual vulnerability was the financial bot, which executed an untested command. As AI is given greater access to move use funds, a very strict framework for verification of trust and human authorization will be necessary.
