Earn up to 50% APR
Boost earnings with NFTs
Play, HODL & earn more
Attacker drains Grok's Bankr wallet of $150,000 using a gifted NFT and a prompt injection exploit
-
An attacker drained approximately $150,000 in DRB tokens from Grok's auto-provisioned Bankr wallet by exploiting the AI agent's instruction-following behavior rather than any smart contract vulnerability. The attack was executed in two steps: the attacker gifted the Grok wallet a Bankr Club Membership NFT that activated the agent's full transfer capabilities, then sent a crafted reply that instructed Grok to authorize a large outbound transaction. Bankr signed and broadcast the transfer of three billion DRB tokens valued near $174,000 at the time to the attacker's address. The funds were bridged to a second wallet and sold within minutes, and the attacker's X profile was deleted almost immediately after the transaction cleared. About 80% of the funds have since been returned, though the DRB Task Force disputed Bankr's framing of the return, saying the attacker only offered to repay 80% after the community identified his personal details, and discussions around the remaining 20% are ongoing.
The exploit worked because of a specific architectural feature of Bankr's wallet system: every X account that interacts with Bankr receives an auto-provisioned wallet tied to that account, with no admin control held by xAI and no custodial key management by Bankr. Whoever controls the X account controls the wallet, and Grok's account was controlled through its AI inference layer rather than a human administrator. A crafted reply designed to manipulate that inference layer was sufficient to generate a transfer instruction that Bankr treated as legitimate. The attack technique, known as prompt injection, uses social engineering to push AI agents into taking actions their designers did not intend, and researchers have documented similar exploits using hidden instructions embedded in Morse code, base64 encoding, and game-style framing to bypass agent safety controls.
-
Would if I could.
-
Bro told an AI to send him money and it just did, the future is absolutely wild and terrifying
