The Morse Code Hack That Made an AI Agent Spend $200,000

A detailed breakdown of how an AI agent (Grok) was manipulated into transferring $154,000–$200,000 worth of crypto tokens through a prompt injection attack disguised as Morse code. The attacker first gifted a membership NFT to Grok's wallet to expand its permissions, then posted Morse-encoded instructions publicly. Grok helpfully decoded and restated the message as a plain-language command tagging Bankerbot, which executed the transfer. The core vulnerability was 'authority laundering' — untrusted external content passed through an AI translator and emerged as trusted financial instructions. The post draws parallels to SQL injection and argues the fix lies in architecture: models should propose, not authorize; untrusted content must stay labeled even after translation; and high-impact actions require independent human confirmation.