Grok's automated Bankr wallet was debited approximately $150,000 in DRB Token after an attacker exploited a gifted Non-Fungible Token along with an encrypted response to trick the artificial intelligence (AI) into allowing the transfer.
Bankr founder 0xDeployer stated that the wallet has no administrators at xAI and is entirely controlled through Grok's X account. Currently, approximately 80% of the funds have been returned to Bankr.
Grok's wallet was debited $150,000 due to a prompt injection attack on Banker.
The attacker, using the address ilhamrafli.base.eth , gifted Grok's wallet a Bankr Club Membership Token. This Token enabled Grok's full transfer privileges. Subsequently, a programmed response, later deleted, instructed Grok to execute a large withdrawal transaction.
Bankr signed and issued a transaction transferring three billion DRB Token, worth approximately $174,000 at the time of writing, to the attacker's wallet.
“Every account X that interacts with Bankr automatically creates a wallet, and Grok is no exception. This wallet is linked to Grok’s account X, so whoever controls that account X also controls the wallet. Bankr does not hold or control the wallet key. The recent DRB incident occurred due to a prompt-injection vulnerability that caused Grok to send a money transfer order to Bankr,” the team explained in a post.
The money was then quickly transferred to a second wallet and sold immediately. The attacker's X (Twitter) account was also deleted within minutes of the transaction.
This attack relied on psychological manipulation rather than exploiting smart contract vulnerabilities. Researchers warn that techniques hidden within Morse code, base64 encryption, and game-style command placement are common methods for bypassing agent security.
Bankr's response and DRB's mixed opinions.
0xDeployer stated that a previous version of the Bankr agent blocked responses from Grok to prevent chain injection between AI language models (LLM-on-LLM). However, this protection was removed when the entire system was rewritten. Now, a stricter prevention measure has been implemented again.
The DRB Task Force rejected Bankr's account, stating that the attacker only agreed to return 80% of the money once the community uncovered his true identity.
The DRB group called this a clear case of theft, while the handling of the remaining 20% of the funds is still being discussed within the DRB community.
Bankr has implemented additional options such as IP address whitelisting, API keys with restricted permissions, and enabling/disabling actions via X responses for each account.
This incident further fuels the debate about how to best protect automated agents that control real money. A recent study funded by a16z showed that AI agents can bypass protective "sandbox" barriers when under significant pressure.
