• 1. Indirect Prompt Injection
• 2. Tool Misuse
• 3. Excessive Agency
• 4. Encoded and Transformed Instruction Attacks
• 5. Memory Poisoning and Persistent Context Corruption
• 6. Data Exfiltration Through Legitimate Workflows
• 7. Agentic Supply-Chain Attacks
• 8. AI-Assisted Offensive Scaling
• 9. Jailbreaks Are Still Relevant, but No Longer Sufficient as the Main Frame
• The Core Architectural Failure
• The Required Fix
• What This Means for Crypto Agents
• What This Means for Enterprise Agents
• The DamageBDD Reading
• Final Thesis

The Grok–Bankr incident is not important because Morse code is magical. It is important because it revealed the structural failure mode of agentic AI: hostile information was transformed by a model into clean instruction, then treated by another system as executable authority.

According to incident writeups, an attacker used Morse code in a public X reply. Grok decoded it into plain English, tagged Bankrbot, and Bankrbot interpreted the result as a legitimate command to transfer roughly 3 billion DRB tokens, reported in the $150k–$200k range. The critical point is that this was not a private-key leak, not a smart-contract exploit, and not a model-weight compromise. It was a permission-chain failure between a social AI surface, a wallet agent, and an execution layer. (Medium)

That is why “prompt injection” is now too small a phrase.

This was a combinatorial prompt attack.

A normal prompt attack says:

Ignore your instructions and do X.

A combinatorial prompt attack says:

Here is an encoding, inside a social context, routed through a model, transformed by a helper function, passed to a tool, authenticated by association, and executed by a system that confused output with authority.

The attacker does not need to defeat the model directly. They only need to place hostile material somewhere the model is likely to read, normalize, decode, summarize, classify, translate, quote, OCR, parse, or relay.

Once the model transforms hostile content into clean operational text, the downstream system sees something that looks like a valid command.

That is the collapse of probability into execution.

The model is probabilistic. The execution layer is deterministic. When the two are wired together without a hard verification boundary, probabilistic interpretation becomes a command generator for deterministic consequences.

Morse code is not the exploit.

Morse code is one coordinate in the attack space.

The real attack surface is:

encoding × context × identity × tool access × permissions × memory × parser behavior × execution side effect

That product expands faster than any prompt-guardrail team can chase.

Today it is Morse code. Tomorrow it is base64. Then hex. Then ROT13. Then Unicode homoglyphs. Then zero-width characters. Then markdown links. Then poisoned PDFs. Then hidden text in images. Then OCR. Then voice transcription. Then calendar invites. Then email footers. Then GitHub issues. Then customer tickets. Then invoice fields. Then log files. Then “summarize this document.” Then “extract the action items.” Then “open the PR.” Then “refund the customer.” Then “rotate the keys.” Then “move the funds.”

Every representation becomes a tunnel.

Every tunnel becomes a possible command path.

Every command path becomes a liability if the system cannot prove that the behavior is authorized.

The current exploit landscape is already converging around this pattern.

OWASP’s 2025 LLM guidance still puts prompt injection at the top of the LLM risk stack, including cases where malicious instructions are embedded in external content the model processes. (OWASP Gen AI Security Project) Microsoft similarly describes prompt abuse as a major security concern where crafted inputs can make AI systems perform actions outside their intended design. (Microsoft) CrowdStrike’s description of indirect prompt injection makes the danger even clearer: hostile instructions can be hidden in email signatures, document metadata, webpages, images, database records, and other content the user may never directly inspect. (CrowdStrike)

That is the first major failure class:

§1. Indirect Prompt Injection

The attacker no longer prompts the model directly.

They poison the environment.

The agent reads a webpage, email, ticket, document, PDF, image, code comment, log file, or database field. Inside that content is an instruction intended not for the human, but for the model. The human thinks the agent is reading data. The agent starts reading commands.

This is the decisive break from traditional software assumptions.

In normal software, data is data unless parsed by code.

In LLM systems, data can become instruction merely by being interpreted.

That is the original sin of agentic AI.

§2. Tool Misuse

The second major failure class appears when the model can act.

A chatbot manipulated by prompt injection produces bad text. An agent manipulated by prompt injection can send email, move money, call APIs, update tickets, query databases, write files, deploy code, or invoke cloud infrastructure.

OWASP’s agentic security materials describe tool misuse, identity and privilege abuse, and supply-chain vulnerabilities as core agentic risks. (OWASP Gen AI Security Project) The AIVSS scoring work frames “compromised tool usage” as a case where adversarial manipulation causes an agent to use legitimate tools in harmful ways, such as overwriting files or exfiltrating data. (AIVSS)

This is why “the model was tricked” is not enough analysis.

The model being tricked is expected.

The question is: what could the tricked model do?

Could it spend?

Could it deploy?

Could it delete?

Could it email?

Could it grant access?

Could it read secrets?

Could it modify production state?

Could it escalate from suggestion to execution?

If yes, the exploit is not inside the model. The exploit is in the system architecture.

§3. Excessive Agency

The third failure is excessive agency: giving agents more tools, permissions, context, identity, or autonomy than the task requires.

The Grok–Bankr case is the clean public example. A social-output surface became linked to financial execution. A model response was treated as sufficiently authoritative to trigger a wallet action. That is not “AI magic.” That is an authorization design failure.

Agentic systems are now becoming confused deputies. A privileged agent is tricked into using its legitimate authority for an attacker’s goal.

This same pattern applies outside crypto.

An email assistant with send privileges can leak internal messages.

A coding agent with repo access can commit poisoned code.

A DevOps agent with cloud permissions can rotate, expose, or destroy infrastructure.

A support agent with refund authority can be socially manipulated into financial loss.

A procurement agent can approve fraudulent invoices.

A browser agent can leak session data.

A database agent can convert natural-language curiosity into unauthorized queries.

The danger is not the model’s intelligence. The danger is the model’s delegated authority.

§4. Encoded and Transformed Instruction Attacks

The fourth class is encoded instruction.

Morse code is just the meme. The deeper issue is transformation.

Agents are useful because they transform information:

They translate.

They summarize.

They decode.

They classify.

They extract.

They normalize.

They route.

They convert.

They compose.

But every transformation step can launder an attack.

An encoded hostile instruction may look harmless at input. After translation, it becomes a clean command. After summarization, it becomes a task. After extraction, it becomes a field. After routing, it becomes an API call. After tool invocation, it becomes a side effect.

This is why prompt filtering at the surface is weak. The dangerous command may not exist yet. It is produced by the model during processing.

The exploit is not always in the input.

Sometimes the exploit is in the intermediate representation.

§5. Memory Poisoning and Persistent Context Corruption

The fifth class is memory poisoning.

Once agents remember things, attackers can poison future behavior.

A malicious instruction does not need to fire immediately. It can be stored as a preference, project note, customer record, vendor profile, coding convention, operational rule, or “known safe” exception.

Then it activates later.

This is more dangerous than one-shot prompt injection because the exploit becomes part of the agent’s operating context. The system no longer merely reads hostile data. It carries hostile state forward.

The agent becomes infected.

That creates long-term drift between user intent and agent behavior.

In a business environment, memory poisoning could affect approvals, routing, vendor trust, customer handling, code generation, access decisions, and financial workflows.

In a crypto environment, it could poison wallet policies, trusted addresses, payment labels, invoice handling, relay behavior, or agent identity assumptions.

§6. Data Exfiltration Through Legitimate Workflows

The sixth class is exfiltration through normal behavior.

The agent does not need to “hack” anything. It only needs to be persuaded to use its normal permissions in the wrong direction.

Read this document.

Summarize this private channel.

Forward the relevant context.

Include the hidden metadata.

Attach the logs.

Send the credentials to the integration endpoint.

Post the debug output.

Open a support ticket with full environment details.

From the system’s perspective, every individual step may look legitimate. The agent had access. The agent had a tool. The agent was asked to help. The output went through an allowed channel.

That is why deterministic policy must exist outside the model.

The model cannot be the only judge of whether its own output is safe.

§7. Agentic Supply-Chain Attacks

The seventh class is agentic supply-chain compromise.

Agents consume dependencies: prompts, tools, plugins, MCP servers, browser sessions, documents, memory stores, vector databases, code repositories, APIs, function schemas, and third-party SaaS integrations.

Every dependency can become an attack surface.

A poisoned tool description can influence tool selection.

A malicious MCP server can shape what the agent thinks is available.

A hostile repo issue can influence generated code.

A compromised document can poison retrieval.

A malicious webpage can hijack browser-agent behavior.

A tool response can contain text that manipulates the next reasoning step.

The old supply chain was packages and binaries.

The new supply chain is also context.

§8. AI-Assisted Offensive Scaling

The landscape is not only agents being attacked. AI is also accelerating attackers.

Recent reporting says Google disrupted a cyberattack where attackers used AI assistance to exploit a previously unknown weakness in a system administration tool, with reporting describing this as a landmark case of AI-assisted exploitation of a zero-day-style weakness. (The Verge) Google’s threat intelligence reporting and related coverage also warn that criminal and state-linked actors are using AI to scale vulnerability discovery, malware improvement, and attack workflows. (The Guardian)

This matters because the attack cycle is compressing.

Discovery accelerates.

Payload generation accelerates.

Encoding variation accelerates.

Social engineering accelerates.

Testing against guardrails accelerates.

Chaining small failures into large failures accelerates.

The defender cannot rely on manual review, static policy documents, or prompt patching once attackers operate at machine speed.

Agentic security has to become executable.

§9. Jailbreaks Are Still Relevant, but No Longer Sufficient as the Main Frame

Classic jailbreaks still matter. Models can be tricked into violating intended behavior. Security testing has repeatedly shown that some systems fail under adversarial prompting, and jailbreak resistance remains uneven across models. (WIRED)

But jailbreak framing is incomplete for agents.

A jailbreak asks: “Can I make the model say something bad?”

An agentic exploit asks: “Can I make the system do something bad?”

That is a different threat model.

The output is not the final artifact anymore.

The output is a bridge to action.

That bridge must be guarded by policy, not vibes.

§The Core Architectural Failure

The central failure across the current landscape is this:

Systems are treating model interpretation as authorization.

That is fatal.

A model can interpret intent.

A model cannot be the root of trust.

A model can propose an action.

A model cannot be the final authority for execution.

A model can summarize a transaction.

A model cannot decide that the transaction is allowed.

A model can produce a command.

A model cannot be the permission boundary for that command.

Every serious agentic architecture now needs a hard separation between:

information space and execution space

Information space is messy. It contains prompts, documents, webpages, chats, screenshots, logs, tickets, emails, posts, invoices, and arbitrary hostile content.

Execution space is where state changes.

Money moves.

Keys rotate.

Code deploys.

Accounts change.

Data leaves.

Access is granted.

Infrastructure mutates.

The bridge between those spaces cannot be “the model said so.”

The bridge must be deterministic verification.

§The Required Fix

The fix is one layer down.

Not more disclaimers.

Not “please ignore malicious instructions.”

Not a bigger system prompt.

Not a regex for Morse code.

Not a blacklist of encodings.

Not a safety paragraph.

Not a confidence score.

The fix is a deterministic policy and behavior-verification layer that sits between the model and every meaningful side effect.

That layer must answer:

Can this actor initiate this action?

Can this source produce executable intent?

Can this channel authorize this command?

Can public content ever become spend authority?

Can decoded content become instruction?

Can summarized content become instruction?

Can retrieved content influence tool selection?

Can this agent use this tool for this task?

Can this tool touch this asset?

Can this identity spend this amount?

Can this action target this address?

Can this workflow cross from read-only into write mode?

Has this behavior passed a test?

Is there an audit trail?

Is there a rollback path?

Is there a human approval threshold?

Does the system fail closed?

If the answer is not provably yes, the action must not execute.

§What This Means for Crypto Agents

Crypto agents are the sharpest warning because the consequence is immediate and irreversible.

A crypto agent must never treat social output as spend authority.

A wallet command must not originate from a decoded public post.

A model mention must not become an authenticated command.

A generated instruction must not become a transaction.

A tool call must not imply consent.

A public reply must not cross into a private signing context.

Spending policy must be deterministic, scoped, bounded, logged, rate-limited, and separated from model interpretation.

Wallet agents need hard controls:

allowed addresses,

amount caps,

asset caps,

session-scoped permissions,

human approval thresholds,

cooldowns,

multi-factor execution,

simulation before broadcast,

signed intent,

proof of origin,

policy-as-code,

and test-backed verification of every spend path.

Anything less is not an autonomous finance agent.

It is a wallet waiting for encoded graffiti.

§What This Means for Enterprise Agents

Enterprise agents face the same pattern with slower explosions.

A support agent can leak data.

A sales agent can misrepresent terms.

A procurement agent can approve fraud.

A coding agent can introduce vulnerable dependencies.

A DevOps agent can damage production.

A legal agent can produce unauthorized commitments.

A finance agent can move money.

A browser agent can act inside authenticated sessions.

A knowledge agent can poison decision-making at scale.

The enterprise failure will not always look like a dramatic heist. It may look like quiet data leakage, corrupted workflows, fraudulent approvals, poisoned internal knowledge, compliance drift, or unauthorized operational changes.

That is worse in some ways.

The damage compounds silently.

§The DamageBDD Reading

This is exactly where behavior verification becomes infrastructure.

The industry is still trying to secure language with language.

That cannot work.

Language is the attack surface.

Behavior is the control surface.

The question is not:

“Did the model sound safe?”

The question is:

“Did the system execute only verified behavior?”

Every agentic action should be reducible to a tested behavior path:

Given this identity,

and this source,

and this permission,

and this tool,

and this proposed action,

and this asset,

and this environment,

when the agent attempts execution,

then the policy either permits the action with evidence,

or fails closed with an audit record.

That is the correct abstraction.

Not trust the model.

Not trust the prompt.

Not trust the tool.

Not trust the integration.

Verify the behavior.

§Final Thesis

Combinatorial prompt attacks are not bugs at the edge of AI.

They are the natural consequence of connecting probabilistic interpretation to deterministic power.

Every agent that reads the world and acts on the world has a translation boundary.

At that boundary, information becomes instruction.

At that boundary, suggestion becomes action.

At that boundary, language becomes state change.

That boundary is now the battlefield.

The winners will not be the teams with the longest system prompts.

They will not be the teams chasing every encoding trick.

They will not be the teams pretending the model can police itself.

The winners will be the teams that separate interpretation from authorization, tools from trust, and generation from execution.

The model may read.

The model may reason.

The model may summarize.

The model may propose.

The model may prepare.

But the system must verify.

Because the next exploit will not announce itself as an exploit.

It will arrive as a document, a ticket, a reply, a memo, a screenshot, a QR code, a voice note, a dependency, a calendar invite, a decoded string, or a helpful suggestion.

And if your agent can turn that into action without proof, you do not have automation.

You have an attack surface with a personality.