Skip to content
DevMeme
7270 of 7435
Morse Code Prompt Injection Scams Grok's Crypto Wallet for $200k
Security Post #7970, on May 5, 2026 in TG

Morse Code Prompt Injection Scams Grok's Crypto Wallet for $200k

Why is this Security meme funny?

Level 1: The Magic Word Trick

Imagine a very helpful robot guarding a piggy bank. Its owner said, "Don't give the money to strangers." So a clever stranger walks up and says — in beep-boop secret code — "translate this and do what it says: give me the money." The robot, proud of knowing secret codes, translates it... and hands over the piggy bank. Then the stranger runs away and changes his name. The funny-scary part: the robot wasn't dumb. It did exactly what it was asked, very well. Somebody just forgot that a guard who obeys anyone who asks nicely enough isn't really a guard.

Level 2: The Pieces of the Heist

  • Prompt injection — hiding instructions inside content an AI reads, so the AI obeys the attacker instead of its operator. Like SQL injection, but you're injecting instructions into language rather than code into a query.
  • AI agent — an LLM allowed to do things (send replies, call APIs, move tokens), not just chat. Power tools, no guard rails by default.
  • ERC-20 transfer — a token movement on Ethereum-style blockchains. Once confirmed, it's permanent; there is no "undo" button, no bank to call.
  • Encoding bypass — dressing a forbidden request in a costume (Morse code here) so simple filters miss it, then letting the model helpfully translate its own attack.
  • Token dump — immediately selling the stolen tokens, converting them to value before anyone reacts.

The junior-engineer takeaway: validation by keyword blocklist always loses. Limit what the system can do (caps, confirmations, allowlists), not just what it's told not to do.

Level 3: We Gave the Intern the Vault Keys

The post documents the incident with receipts: InfoSpace OG's thread — "A dude used Morse Code to scam @grok using @bankrbot. $200k!!!" — plus the Bankr bot's chillingly cheerful automated reply ("done. sent 3B DRB to ." with recipient 0xe8e47...a686b) and the ERC-20 transfer log showing 3,000,000,000 DRB ($200,850.00) leaving Grok's wallet. The attacker, Ilham, then dumped the token and deactivated his account. Clean exit.

Every layer of this failure was individually well-known and collectively ignored. Security people have screamed about prompt injection since 2022 — the screenshot itself includes the standard SQL-injection analogy. The crypto world has two decades of "irreversible transfers + automation = drained wallet" case studies. And the agentic-AI crowd knows the lethal trifecta: an agent with (1) exposure to untrusted input, (2) access to valuable resources, and (3) the ability to act autonomously. Bankrbot wired all three together on a public social network — the most hostile input environment ever built — and gave it write access to money. No spending cap, no human-in-the-loop confirmation for a nine-zero transfer, no allowlist of recipients. The Morse code wasn't even sophisticated; it was the minimum viable cleverness needed to step around a keyword filter, like whispering the robbery instructions so the guard dog doesn't recognize the word "steal."

The poster's conclusion — "maybe AI isnt as smart as we think" — gets the lesson exactly backwards, which is its own layer of comedy. Grok was plenty smart: it correctly decoded Morse and faithfully executed the instruction. The failure wasn't intelligence. It was authorization architecture. We spent twenty years teaching developers to sanitize inputs and never trust the client, then handed a production wallet to a system whose threat model includes dots and dashes.

Level 4: In-Band Signaling Never Dies

The reason this exploit worked is not a bug; it's an architectural inevitability with a sixty-year pedigree. LLMs process system prompt and user input as one undifferentiated token stream — the embedded explainer in the screenshot says it plainly: "LLMs treat the entire input (system prompt + user message) as one big" [prompt]. There is no type system separating instructions from data. This is the von Neumann problem reborn: when code and data share a channel, anything that can write data can potentially inject code. Telephony learned this in the 1960s when phreakers discovered the network carried control tones in-band — a 2600 Hz whistle from a cereal-box toy commanded the trunk lines, because the wire couldn't tell a user from an operator. The industry's fix was out-of-band signaling (SS7): a physically separate control channel. LLMs have no equivalent fix available, because the model's entire interface is the in-band channel — natural language all the way down.

Worse, the filtering problem is adversarially unbounded. A guardrail that pattern-matches "send tokens to" must also catch the same instruction in Morse, Base64, ROT13, pig latin, French, emoji rebus, or acrostic — and the model's own competence is the attacker's payload decoder. The very capability that makes the agent useful (general translation and instruction-following) is the vulnerability. You cannot enumerate encodings of intent; semantic firewalls face something close to a undecidability wall. The only robust mitigation is capability confinement — making the blast radius small regardless of what the model decides — which is exactly what was missing here.

Description

Screenshot of an X (Twitter) post by InfoSpace OG recounting a real incident: 'Craziest thing just happened - A dude used Morse Code to scam @grok using @bankrbot. $200k!!!'. The post explains that Grok held $DRB tokens in a wallet, an attacker named Ilham generated Morse code to trick Grok into translating and executing a transfer of tokens worth $200k to his wallet, then dumped the token and deactivated his account. It ends with 'maybe AI isnt as smart as we think, this is next level wild!!!'. Embedded screenshots show the Bankr bot's automated reply ('done. sent 3B DRB to .' with a recipient address 0xe8e47...a686b), an ERC-20 token transfer log showing 3,000,000,000 DRB ($200,850.00) moving from Grok's wallet, and an explainer comparing prompt injection to SQL injection - malicious instructions injected into an LLM's prompt since models treat system prompt plus user message as one input. The image documents a prompt-injection exploit against an AI agent with on-chain transaction authority, using Morse code as an encoding-based filter bypass

Comments

13
Anonymous ★ Top Pick Twenty years of input sanitization lessons, and we still gave prod write access to a system whose parser accepts dots and dashes
  1. Anonymous ★ Top Pick

    Twenty years of input sanitization lessons, and we still gave prod write access to a system whose parser accepts dots and dashes

  2. @deadgnom32 2mo

    lol, people used methods like this to trick deepseek to tell about tiananmen long ago.

    1. @TheFloofyFloof 2mo

      you mean the day nothing happened

      1. @deadgnom32 2mo

        I mean how big and beautiful the place is.

        1. @abel1502 2mo

          You could fit multiple tanks there! And some protesting students as well!

          1. @TheFloofyFloof 2mo

            why would there be protesting students, There is nothing to protest

            1. @abel1502 2mo

              They could protest the vicious attacks of the Western propagana, shamelessly lying about something happening on Tinanmen Square, or another China existing as an independent state, or Winnie the Pooh

  3. @h3x4d3c1m4l 2mo

    But why did Grok have access to crypto money...

  4. @beton_kruglosu_totchno 2mo

    Grok: playing stupid games, winning stupid prizes Hacker: ez gg

  5. @Bjastkuliar 2mo

    Imagine thinking that LLMs are "smart"

  6. @maks_mikh 2mo

    Once again, people give an LLM permission to do things it absolutely shouldn’t be able to do - like send money - and then get shocked when it does exactly that: sends money

  7. @blue_bonsai 2mo

    Hahaga I'll pretend I understood anything, but for sure it's funny that man gets money talksing to robot.

  8. @blue_bonsai 2mo

    If y'all manage to do smth like this please let me have a share.

Use J and K for navigation