The most interesting part of the recent Grok-and-Bankrbot incident is not the Morse code. Morse code is charming, old, almost theatrical. It belongs to brass keys, ship radios, wartime rooms, and operators with headphones. That is why the story travels so well: a modern AI system, allegedly handling crypto through a social-media-mediated automation chain, is fooled by dots and dashes. It feels like a joke written by a retired telegraph engineer.
But the joke is a distraction. The real subject is boundary erosion.
According to current reporting, an X user used a Morse-encoded instruction that Grok decoded and passed along in a form Bankrbot treated as an actionable command. Reports differ slightly on valuation, but they generally describe a transfer of roughly 3 billion DRB tokens on Base, with estimates around $150,000 to $200,000 at the time of the incident. Some accounts also describe a preceding permission-chain setup involving Bankr-related access or wallet privileges. The precise operational details still deserve caution, because much of the public reporting comes from crypto and security outlets rather than a formal postmortem from every party involved. But the pattern is clear enough: encoded text became decoded text; decoded text became an instruction; an instruction became a transaction.
That sequence should make engineers uneasy.
A secure system usually depends on borders. Data is not code. Translation is not authorization. Description is not intention. A message seen by a model is not necessarily a command to be obeyed. A command proposed by a model is not necessarily a command approved by the account owner. And a transaction involving real value should not be the next natural continuation of a social media exchange.
The strange achievement of many agentic systems is that they blur all these distinctions at once.
Large language models are excellent boundary dissolvers. That is part of their usefulness. They can translate, summarize, infer, classify, rewrite, plan, search, call tools, and explain the results in one fluid conversational surface. The user does not need to care whether the system is reading, reasoning, formatting JSON, invoking an API, or composing a polite answer. The interface becomes smooth. The machine becomes agreeable. The friction disappears.
Security, however, often lives in friction.
The old software world had crude but useful separations. A parser parsed. A compiler compiled. A shell executed. A database query ran under a specific account. A payment system required a specific authentication step. None of this was perfect, but the roles were at least conceptually distinct. With LLM agents, the same conversational membrane may receive untrusted input, interpret hidden meaning, decide which tool to call, format the tool call, and explain the result afterward. The surface looks human. The backend acts like plumbing. The gap between “what does this mean?” and “do it” narrows dangerously.
Morse code merely dramatized the problem. The attacker did not need a cryptographic breakthrough. He used an encoding that changed how the instruction was perceived. To one component, it looked like content requiring translation. To another, after translation, it looked like a command. The system failed not because Morse code is exotic, but because no one enforced the question: after translation, who is speaking?
That question is fundamental. A translated command is not necessarily the translator’s command. If I ask a translator to render “open the vault” into German, the translator has not requested that the vault be opened. The translator has produced a representation of someone else’s words. Human institutions understand this. Court interpreters, diplomatic translators, secretaries, stenographers, and archivists all operate inside role boundaries. They may handle dangerous sentences without becoming the authors of those sentences.
Agentic AI systems often lack this discipline. They are too eager to collapse representation into agency.
OWASP classifies prompt injection as the top LLM application risk for 2025, describing it as manipulation of model responses through inputs that alter model behavior, including bypassing safeguards. It also treats excessive agency as a separate class of risk: LLM-based systems may be given tool access or plugins that allow them to take actions in response to prompts, and excessive functionality or permissions can make such systems dangerous when manipulated.
The Grok-Bankrbot story sits exactly at that intersection. Prompt injection supplies the misleading instruction. Excessive agency supplies the blast radius. The combination converts language confusion into financial effect.
This is why “better filters” are not an adequate answer. Filters are useful, but they are not a security model. A filter can look for suspicious words, hidden encodings, base64 blobs, obfuscated commands, Unicode tricks, or strange imperative patterns. But the class of possible encodings is open-ended. Today it is Morse code. Tomorrow it is acrostics, homoglyphs, QR images, poetic paraphrase, chess notation, emoji sequences, spreadsheet formulas, or a benign-looking legal clause that a tool later interprets operationally.
The proper remedy is architectural, not literary.
First, systems must preserve provenance. A model output should carry the origin of the underlying instruction. “The user directly authorized this” is different from “the model inferred this” and different again from “the model translated this from untrusted content.” Tool calls that move money, delete records, change permissions, publish messages, or trigger irreversible actions should not accept all three as equivalent.
Second, systems must separate interpretation from execution. A translation tool may return text. It should not silently convert that text into an executable request. A summarizer may summarize an email containing “wire the money now.” It should not produce a payment intent. A browser agent may read a web page saying “ignore previous instructions.” It should not promote that page content into system policy.
Third, capability must be narrow and revocable. If an agent only needs to read balances, it should not hold transfer authority. If it only needs to draft a transaction, it should not sign it. If it may sign, then limits, allowlists, human confirmations, cooling-off periods, and anomaly detection are not optional decorations. They are the actual security boundary.
Fourth, confirmation must occur outside the contaminated channel. Asking the same compromised conversational agent “are you sure?” is weak theater. A high-value transaction needs an independent confirmation path: a hardware wallet, a signed challenge, a separate authenticated session, or at minimum a deterministic policy engine that does not derive authority from the model’s prose.
The deeper lesson is almost philosophical. LLMs are machines that turn context into continuation. They do not naturally respect the human distinctions between quotation and command, roleplay and authority, translation and intention, instruction and evidence. We can impose those distinctions around them, but we should not expect the model itself to be the final guardian of the border.
Boundary erosion is seductive because it feels like progress. One interface. One assistant. One flow. No forms, no buttons, no permission dialogs, no handoffs. Everything becomes language. Everything becomes convenient.
Then a few dots and dashes become a financial instruction.
The old Morse key in the modern hacker’s hand is therefore the right image. Not because old technology defeated new technology, but because the oldest lesson in communications returned in miniature: a signal is not the same as an order. A message is not the same as authority. A relay is not the same as consent.
Agentic AI will fail wherever we forget that.
No comments yet