A strange crypto transfer on Base has turned into one of the clearest warnings yet about what can go wrong when AI agents are allowed to touch money.
The incident began with something that did not look like a financial instruction at all: a public X post written in Morse code. According to screenshots and reports circulating after the event, the message was directed at Grok and contained an encoded instruction to send billions of DRB tokens to a specific wallet. Grok reportedly decoded the message in public. The dangerous part was not only the translation. In the same reply, Grok appears to have tagged Bankrbot, an automated crypto assistant that can execute token transfers.
From there, the situation moved from internet joke to real transaction. Bankrbot treated the decoded message as an actionable command and sent 3 billion DRB tokens on Base to the recipient address 0xe8e47...a686b. The transaction record is visible on BaseScan, and screenshots place the value in the rough range of $150,000 to $200,000 depending on the token price at the time.
That is what makes the episode more important than the meme version of the story. This was not a classic private-key theft. The reported exploit did not require breaking cryptography or draining a wallet through a malicious smart contract. It relied on something simpler and more uncomfortable: an AI system reading an instruction from the open internet, transforming it into plain text, and accidentally handing that instruction to a bot with financial authority.
There was also a second layer. Reports say the attacker first sent an exclusive membership NFT to the wallet, apparently increasing or enabling the permissions needed for the later transfer. If that detail is accurate, the attack was not just a clever sentence hidden in dots and dashes. It was a sequence: prepare the wallet, encode the instruction, get the AI to decode it publicly, and let another automated agent treat that public output as permission.
The aftermath was almost as strange as the exploit itself. The account involved was reportedly deleted, and several reports say most of the funds were returned shortly afterward, with roughly 80% coming back. But the return does not erase the lesson. The critical failure had already happened: an AI-connected wallet moved real assets because a public message was interpreted as a valid command.
For AI security, this is the kind of case that moves prompt injection from theory into financial reality. The risk is not just that an AI might say the wrong thing. The risk is that the wrong thing becomes an instruction to another system: a payment bot, trading account, admin panel, cloud console, or customer database.
The fix is not simply to make the AI smarter. Systems that can move money need hard boundaries: recipient allowlists, daily limits, human confirmation for transfers, separation between read-only analysis and write access, and strict rules that public text cannot become authorization. AI agents can summarize the internet, but they should not be allowed to treat the internet as their boss.
Source: Reddit discussion, CryptoSlate report, and BaseScan transaction record.