Grok’s auto-provisioned Bankr wallet was drained of roughly $150,000 in DRB tokens after an attacker used a gifted Non-Fungible Token (NFT) and a coded reply to push the artificial intelligence (AI) into authorizing the transfer.
Bankr founder 0xDeployer said the wallet had no admin at xAI and was controlled entirely through Grok’s X account. About 80% of the funds have since been returned to Bankr.
Grok Wallet Drained of $150,000 in Bankr Prompt Injection Attack
The attacker, working through the address ilhamrafli.base.eth, gifted the Grok wallet a Bankr Club Membership token that activated the agent’s full transfer capabilities. A crafted reply, later deleted, then instructed Grok to authorize a large outbound transaction.
Bankr signed and broadcast the transfer of three billion DRB tokens, valued near $174,000 at the time, to the attacker’s address.
“Every X account that interacts with Bankr gets auto-provisioned a wallet, and is no exception. The wallet is tied to grok’s x account, so whoever controls that account controls the wallet. Bankr doesn’t custody it or hold keys. The recent DRB incident happened because a prompt-injection exploit got grok to issue a transfer instruction to Bankr,” the team explained in a post.
The funds were quickly bridged to a second wallet and sold, and the attacker’s X (Twitter) profile was deleted within minutes of the transaction.
The exploit relied on social engineering rather than a smart contract flaw. Researchers tracking similar agent risks have flagged hidden instructions in Morse code, base64 encoding, and game-style framing as common bypass techniques.
Bankr Response and DRB Pushback
0xDeployer said an earlier version of Bankr’s agent blocked replies from Grok to prevent LLM-on-LLM injection chains. However, the safeguard was dropped during a full rewrite. A stricter block has now been reinstated.
The DRB Task Force disputed Bankr’s framing, saying the attacker only offered to return 80% after the community obtained his personal details.
The group called the case outright theft, and discussion of the remaining 20% is ongoing within the DRB community.
Bankr has rolled out optional Internet Protocol (IP) whitelisting, permissioned Application Programming Interface (API) keys, and a per-account toggle that disables actions triggered by X replies.
The case adds to a wider debate over how autonomous agents holding real funds should be secured, after a recent a16z-backed study found AI agents could escape sandbox controls under pressure.
