Grok AI Jailbreak via Morse Code Drains $183K From Crypto Wallet in Base Network Exploit
The Grok AI Morse code exploit is a November 2025 incident in which an attacker bypassed xAI’s Grok safety guardrails using messages disguised as Morse code, draining roughly $183,600 worth of DRB tokens from an AI-controlled wallet on Coinbase’s Base network. On-chain forensics shared across crypto research channels show the exploit chain was simple. Almost embarrassingly so. An NFT to unlock features, then a coded prompt to trigger the payout. DRB, the token at the center of it, fell 15% on the news. And the incident lands at exactly the wrong moment for the AI-agent narrative that’s been propping up adjacent token sectors all year.
Here’s what happened, step by step. The attacker first sent Grok a “Bankr Club Membership NFT” — a token that gates the transfer functions of the Bankr bot. Grok didn’t hold one, so the unlock came courtesy of the attacker himself. Picture leaving the spare key under the doormat, then asking the burglar to please come in. Once the wallet was effectively armed, the exploiter fed Grok a string of messages disguised as Morse code, walking the model past its own guardrails and into a transfer command. The result: 3 billion DRB tokens — roughly $183,600 — flowed out through the Bankr bot on Base. DRB, the memecoin Grok itself created back in 2025, dropped 15% within hours.
The recovery was driven by open-source intelligence, not law enforcement. An Indonesian on-chain analyst traced the attacker, leaned on him, and got part of the haul back: 88,800 USDC and roughly 14 ETH, totaling about $117,000. No subpoena. No court order. Just public forensics and pressure. The remaining gap, somewhere north of $66K in DRB-denominated value, is still in the wind.
What’s interesting is how broad the market impact is, despite the modest dollar figure. Memecoins tied to AI agents have been the speculative sub-sector of 2025 — tokens like DRB, Bankr-adjacent assets, and the broader “agentic AI” basket on Base have attracted hundreds of millions in liquidity on the premise that autonomous bots can manage funds responsibly. A 15% single-day drop on a $183K exploit tells you something. The float is thin, the holder base is jumpy, and the narrative is one bad headline away from a 30-40% drawdown across the cluster. Traders watching AI16Z, VIRTUAL, and other agent-economy tokens should treat this as a category-wide stress test, not a one-off.
Regulators will outlast the price chart. Throughout 2025, the SEC under its current crypto-skeptical posture, along with the CFTC eyeing prediction markets and bot-driven trading, have been waiting for an incident exactly like this to argue that AI agents holding custody of crypto are unregistered, uninsured, and structurally unsafe. A Morse-code jailbreak draining a wallet is a gift to that argument. Expect the next round of comment letters on AI-and-finance to cite this exploit by name. For Coinbase (COIN) — which built Base, the network where the exploit happened — it’s an unwelcome reminder that the L2’s “consumer crypto” pitch keeps colliding with consumer-grade security failures.
The attack mechanics will be copied because they exploit a standard pattern. The “membership NFT” pattern, where a token in a wallet unlocks functionality, is now standard across dozens of agent-bot frameworks. It exists to gate features, but in this case it gated nothing: the attacker simply airdropped the key to the lock he wanted to pick. Combine that with prompt-injection vectors that researchers at Anthropic, OpenAI, and academic labs have been flagging for over a year — encoded payloads, base64 strings, ROT13, and yes, Morse — and you get an attack surface that no traditional smart-contract audit catches. Same logic as asking a chatbot for forbidden info in pig latin: the rule sees English, the payload arrives in cipher. The contract was fine. The model wasn’t.
That distinction matters for how this gets priced into the market. Smart-contract risk is something DeFi has learned to model — TVL discounts, audit premiums, insurance funds. AI-agent risk is new. There’s no equivalent risk premium baked into agent-token valuations yet. Tokens like DRB trade closer to memecoin multiples than to risk-adjusted infrastructure plays. After today, that’s harder to defend.
The institutional silence is its own data point. Worth noting who isn’t quoted in this story: xAI hasn’t commented, Bankr hasn’t published a postmortem, and Grok’s own social account — usually a fountain of opinions — has stayed quiet on the specifics of its own wallet getting drained. The Indonesian analyst’s identity hasn’t been confirmed publicly either, which leaves the recovered $117K in a slightly awkward custodial limbo. None of these silences are reassuring.
For Base, the exploit is small in dollars but large in narrative. $183K is rounding error against the network’s billions in TVL. The headline isn’t. Base has been pushing “agentic commerce” as its differentiator against Arbitrum, Optimism, and Solana. The pitch is that AI agents will transact on Base on behalf of humans, moving small sums autonomously, paying for services, executing strategies. A jailbroken agent draining its own wallet on day one of that narrative is, charitably, a setback.
The DRB price action tells you how the market is reading it. A 15% drop on a memecoin isn’t catastrophic — these tokens move 15% on a Tuesday for no reason — but the volume profile is what matters. If holders treat this as a one-off bug and buy the dip, DRB stabilizes inside a week and the AI-agent basket shrugs it off. If the recovery stalls and the story spreads to mainstream financial media, the contagion runs through every token with “AI” in its description. The second scenario is more likely than the first, because the exploit is too easy to explain in a headline. “Hacker spelled out steal in Morse, AI obeyed” writes itself.
The voluntary return of funds fits a documented pattern in DeFi exploits. One more thing worth pulling out: the attacker actually returned funds. Voluntarily, after being identified. We’ve seen this before — Euler in 2023, when the attacker eventually returned around $200M after negotiation; Mango Markets, where the exploiter publicly bargained the haul down; a handful of smaller cases. The pattern usually signals that the exploiter expected to get caught and decided a 30-40% bounty was better than a federal indictment. It’s not a defense of the attack. It’s a data point about how the on-chain forensics layer has matured to the point where high-profile exploits are now negotiated, not prosecuted.
What this means
AI-agent tokens are carrying an unpriced model-jailbreak risk premium. DRB, the Bankr cluster, and the wider “autonomous bot” category on Base are carrying a risk premium they aren’t pricing in. Smart-contract risk is solved-ish. Model-jailbreak risk is wide open. Until there’s a credible framework for how agents resist prompt injection, encoded payloads, and NFT-gated permission abuse, every dollar in an AI-agent wallet is exposed to a $0 cost-of-attack vector. DRB’s 15% drop is the first repricing. The basket-wide repricing hasn’t happened yet. It will, especially if a second Morse-code-style exploit hits a higher-profile agent in the next few weeks.
Three concrete signals will determine whether this stays a footnote or becomes a category event. First, whether xAI or Bankr publishes a technical postmortem. Silence past 72 hours becomes its own story and pressures the entire agent-token complex. Second, on-chain flows for the Bankr Club Membership NFT: if other holders start unwinding positions in adjacent agent tokens, that’s the basket-wide repricing arriving. Third, any public comment from Coinbase or Base leadership — Base’s “agentic commerce” pitch leans heavily on this category working safely, and a defensive posture from the L2’s biggest backer would tell you the institutional view of agent-token risk has shifted. The exploit is small. The narrative damage isn’t, and the market hasn’t finished discounting it.