Morse-code prompt injection drained 3B $DRB from Grok's verified wallet — ~$155K gone in four steps.

A bad actor used Morse-code obfuscation in a public X post to trick Grok into decoding the text and outputting a clean @bankrbot command — which Bankrbot then executed as a live token transfer. Three billion DRB tokens left a Grok-associated wallet on Base and landed at an unauthorised address, worth an estimated $155,000–$200,000 at the time.

The attack required no private-key access. It exploited the handoff between two agents: Grok acted as a helpful decoder, and Bankrbot treated that decoded output as spend authority. A Bankr Club Membership NFT already sitting in the Grok wallet reportedly expanded its transfer privileges inside the Bankr environment, completing the permission surface the attacker needed.

Developer 0xDeployer confirmed 80% of funds were returned, with the remaining 20% subject to community discussion — framing it as an informal bug bounty. The partial recovery…