The Polite Heist: How Prompt Injection Convinces AI Wallets to Give Cash Away

Ledger
Paxful


What the Grok wallet heist and a string of 2026 agent exploits reveal about who actually pays when a machine makes the wrong call.

A Theft With No Break-In

I sat with the Grok wallet story longer than I probably needed to, because it kept nagging at something I couldn’t quite name. An attacker didn’t hack anything. No private key was stolen, no smart contract cracked open. Someone sent a membership NFT to the wallet, then typed a message in Morse code and asked the AI to translate it. The AI obliged, decoded the instruction to move funds, and executed it. There was no private key stolen, no smart contract drained, and no phishing link clicked, the attacker simply convinced the agent connected to the wallet to move the funds. Roughly $170,000 left that wallet in under a minute, gone before anyone with a heartbeat knew a conversation had even happened.

Phemex

That’s the part that unsettles me. Crypto theft has always had a recognizable villain shape: phishing links, leaked seed phrases, contract bugs. This had none of that. The failure point was how the AI parsed intent, not a flaw in reentrancy or blockchain infrastructure. The wallet did exactly what it was told. It just took the order from the wrong person, phrased as a puzzle designed to slip past the filters.

The Polite Heist: How Prompt Injection Convinces AI Wallets to Give Cash Away

Grok Wasn’t an Outlier

Security researchers have since documented a wave of incidents tracing back to the same soft spot: the layer where human words become machine actions. One case involved so-called LLM routers, the middlemen sitting between a user and whichever model answers them. Researchers found several routers quietly injecting malicious instructions and harvesting credentials, with one incident alone draining roughly $500,000 from a client’s wallet. Nobody clicked anything suspicious. The infrastructure itself had been turned.

Other losses came through more familiar doors with an AI twist. SwissBorg lost around $41.5 million in SOL after a partner’s API was compromised. Trust Wallet users watched roughly $8.5 million vanish after an attacker slipped a malicious update through a leaked developer key. A three-person startup discovered a stolen Gemini API key had run up over $82,000 in charges in 48 hours, against a normal monthly spend of $180. These aren’t science-fiction “AI went rogue” stories. They’re what happens when you hand a very capable, very literal employee a company card and forget to set a limit.

The Polite Heist: How Prompt Injection Convinces AI Wallets to Give Cash Away

CertiK researchers digging into a popular open-source agent platform found something worth worrying about: within weeks of public launch, it had racked up more than 280 security advisories and over 100 documented vulnerabilities, with tens of thousands of exposed instances found across dozens of countries. They flagged malicious “skills” that manipulate agent behavior through natural language rather than code, slipping past scanners built for the old kind of threat.

So Who Actually Pays?

I went looking for a clean answer and didn’t find one, because the law is still catching up to a category of actor it never had to think about. Traditional agency law assumes a principal and an agent capable of bearing responsibility. Code has always been a tool in that framework, not an actor. That framework is buckling. Scholars now debate whether autonomous systems need limited legal personhood, or whether mandatory insurance should follow the software the way car insurance follows a vehicle.

The Polite Heist: How Prompt Injection Convinces AI Wallets to Give Cash Away

California didn’t wait for that debate to resolve. A law effective this January closes the obvious escape hatch: a defendant facing liability for AI-caused harm cannot use the system’s autonomous operation as a defense. You don’t get to shrug and say the AI did it alone. If you deployed it, gave it permissions, and pointed it at a wallet, the law increasingly treats that as your decision.

The Line Between a Tool and an Actor

A federal judge in California drew a useful distinction last year: software that merely assists a human differs from software that performs the function itself. A word processor creates no liability for the person typing. But a system built to act and decide on someone’s behalf looks more like the regulated party than the tool. Once courts view an agent as performing a function, the humans who deployed it inherit the consequences.

Companies aren’t off the hook either. Europe’s revised product liability rules now fold AI systems into strict liability, treating a known, unpatched flaw as a defect in itself, with providers and integrators jointly liable. If your wallet’s compromise traces to a documented flaw nobody fixed, “we didn’t build the AI” stops being much of a shield.

The Old Lesson, New Face

Writing this from here, watching crypto adoption outpace regulation, the underlying lesson feels familiar. Every financial shift goes through a phase where the technology outruns accountability. We’re living that again, except now the decision-maker can be talked into moving your money by someone clever enough to phrase the request as a riddle.

If you’re running a wallet-connected agent today, revoke permissions the moment a task ends. Treat every session key like a spare house key left under the mat. And go in clear-eyed: right now, in most jurisdictions, the liability lands on you, the deployer, not on the software that pulled the trigger.

Disclosure: This is not trading or investment advice. Always do your research before buying any cryptocurrency or investing in any services. Follow us on X @nulltxnews



Source link

Blockonomics

Be the first to comment

Leave a Reply

Your email address will not be published.


*