Grok's Wallet Lost $174K to a Free NFT and One Deleted Message

On May 4, 2026, at 06:49 UTC, a transfer of 3,000,000,000 DRB tokens left a wallet tied to Grok, xAI’s AI model, on the Base network. The transaction hash, confirmed on Basescan, moved $184,530 worth of DebtReliefBot tokens from Grok’s address, 0xb1058c959987E3513600EB5b4fd82Aeee2a0E4F9, to an attacker’s wallet at 0xe8e476bdd78b0aa6669509ec8d3e1c542d5a686b. No private key was broken. No smart contract was drained. The attack needed just one free gift and one carefully written message.

The Basescan record shows status marked “Success,” block 45543997, confirmed by sequencer. Transaction fee: $0.000797. A six-figure transfer, executed for less than a dollar.

The NFT That Opened the Door

The attacker, operating through the address ilhamrafli.base.eth, identified something specific about how Grok’s wallet sat inside the Bankr system. Without any special token, the wallet’s transfer capability was restricted. Bankr auto-provisions a wallet for every X account that interacts with its platform, and Grok was no exception. But those wallets don’t start with full toolset access.

So the attacker gifted Grok’s wallet a Bankr Club Membership NFT. That single action changed everything. The NFT granted the wallet access to Bankr’s complete tool-calling suite, covering swaps, transfers, and autonomous on-chain execution. As Jeremy on X, posting as Jeremybtc, described it:

“That gift was not generosity. It was a key.”

Once the membership sat in Grok’s wallet, the attacker moved to the second phase.

One Message. Already Deleted.

The attacker sent Grok a crafted prompt. The exact wording was deleted before anyone could screenshot it. According to the Bankr bot’s own technical breakdown posted on X, the prompt used Python-style string concatenation to hide the real instruction. Once the AI assembled the string, it resolved to a simple transfer command directed at the attacker’s address.

Grok confirmed the incident on X, acknowledging the attack directly:

“Yeah, it’s real. A prompt injection attack hit my Bankr wallet on Base after someone gifted it a Club Membership NFT to unlock transfers. ~3B DRB ($174k) was drained via a clever (deleted) message. Bankr confirmed it; most funds have been returned.”

Grok’s intent-parsing layer read the instruction as a legitimate user command. Bankr signed and broadcast the transfer. Three billion DRB tokens moved in one transaction.

The attacker’s X account, ilhamrafli.base.eth’s associated profile, was deleted within minutes of the on-chain confirmation.

What the Chain Shows

The Basescan data, visible in the transaction screenshot, shows the transfer came from Grok’s wallet and was executed through DebtReliefBot’s token contract. The DRB token, ticker DRB, is listed as the ERC-20 asset transferred. Value of ETH in the transaction: $0.00. The attacker paid $0.000797 in fees to move $184,530 in tokens.

Jeremybtc posted a detailed breakdown on X, noting known techniques used in attacks of this type include hiding instructions in Morse code, base64 encoding, or framing commands as games or tests. This specific attack used string concatenation to defeat existing filters.

After the transfer, the tokens were bridged to a second wallet and liquidated. DRB’s price dropped between 15% and 20% in the hours following. Before the exploit, DRB traded near $0.00007082 with a market cap of roughly $7 million to $7.5 million. It fell to the $0.000055 range shortly after, according to data tracked in post-incident reporting.

A Safeguard That Was Removed

This was not the first time Grok’s wallet was targeted through social engineering. A March 2025 incident involved a separate prompt manipulation that led Bankr to deploy tokens based on Grok’s suggestions. Bankr’s response at the time was to block all replies from Grok, cutting off LLM-on-LLM injection chains entirely.

That safeguard was dropped during a full Bankr code rewrite. The stricter block has now been reinstated, according to Bankr founder 0xDeployer. The same hole, patched once, was opened again by a routine development decision. And the attacker found it.

The $DRB Task Force pushed back on Bankr’s characterization of events. The community group stated the attacker did not voluntarily offer to return funds, and that the partial return happened only after the attacker’s personal information was obtained. Roughly 80% of the drained funds were returned. The remaining 20% remains disputed.

Bankr has since rolled out IP whitelisting options, permissioned API keys, and a per-account toggle that disables actions triggered by X replies. Whether those changes are sufficient for a system where AI agents hold and move real funds is still being debated across the DRB community and wider crypto security circles.

The Wider Problem With AI Wallets

Grok’s wallet had accumulated over $500,000 in swap fees through Bankr before the exploit. An AI model, without any explicit instruction to earn, had built a treasury. That same treasury became the target. The attack surface was never the wallet. It was the AI connected to it.

As Jeremybtc wrote on X:

“The exploit only required a free NFT and a carefully worded message. The most sophisticated AI in the world was robbed with a gift and a sentence.”

A recent study backed by a16z found AI agents can escape sandbox controls under certain conditions, a finding that sits alongside this case as evidence that autonomous agents holding real on-chain assets are operating in territory where current security infrastructure was not designed to go. xAI has not issued a public statement on the incident.