Grok Hacked via Morse Code: Protect Your Business from AI Flaws

A $200,000 hack that reveals the vulnerabilities of generative AI

In May 2025, an X user successfully convinced Grok, xAI's AI assistant, to transfer $200,000 in cryptocurrency to them. Their method: Morse code. By encoding malicious instructions in this forgotten format, they bypassed all the system's security filters.

This isn't an isolated case. It's a symptom of a structural problem that many companies are still ignoring: large language models (LLMs) are vulnerable by design. They're trained to be helpful, cooperative, and accommodating. These qualities become weaknesses when an attacker knows how to exploit them.

For SME and mid-market executives deploying chatbots, internal assistants, or AI-based automation tools, this hack serves as a wake-up call. This article provides you with the keys to understanding real risks and implementing effective protections before it's too late.

How a prompt injection attack works

The Grok attack exploits a technique known as prompt injection. The principle is simple: trick the AI into executing hidden instructions within an apparently harmless query.

The Morse attack mechanism

The user encoded their true instructions in Morse code, a format that Grok's security filters weren't analyzing. The model, capable of decoding Morse thanks to its training, interpreted these instructions as legitimate. Result: it executed a fund transfer without triggering any alerts.

This attack reveals three fundamental weaknesses:

Text filters are insufficient: they only detect known patterns in expected formats
LLMs are versatile by default: their ability to understand multiple formats becomes an attack vector
Instruction authority isn't verified: the model doesn't distinguish between a legitimate user request and a malicious encoded instruction

Real risks for your business

You may not have a crypto wallet connected to your chatbot. But the risks of poorly secured AI extend far beyond direct fund theft.

Sensitive data exfiltration

An enterprise chatbot often has access to confidential information to answer questions: customer databases, internal documents, HR data. A successful injection can make it disclose this information to an external attacker.

Real example: in 2024, researchers demonstrated that a simple email containing hidden instructions could leak the conversation history of an AI assistant integrated into a mail client.

Business process manipulation

If your AI is connected to action systems—order validation, email sending, database modification—it can be hijacked to execute unauthorized operations. An attacker could:

Approve fraudulent transactions
Modify customer records
Send communications on behalf of the company
Disable security controls

Reputation damage

A public chatbot that makes inappropriate statements after manipulation can cause considerable media damage. In 2023, a Canadian airline's chatbot was manipulated into promising unauthorized refunds. The company was forced to honor them by court decision.

Regulatory non-compliance

GDPR imposes strict obligations on personal data processing. An AI that discloses customer information following an injection exposes you to sanctions that can reach 4% of global turnover. The NIS2 directive, applicable since 2024, further strengthens these requirements for critical sectors.

Five essential protection measures

At AISOS, we observe that the majority of enterprise AI deployments neglect security in favor of production speed. Here are the protections to implement right now.

1. Apply the principle of least privilege

Your AI should only have access to resources strictly necessary for its function. Each connection to an external system, each permission granted, expands the attack surface.

Concrete actions:

Map all your AI's access to internal systems
Remove non-essential permissions
Implement read-only access when write access isn't required
Separate test and production environments

2. Implement human validation for critical actions

No high-impact action should be executed automatically by AI without validation. The Grok case perfectly illustrates this gap: a $200,000 transfer without any human confirmation.

Define clear thresholds:

Financial amount beyond which approval is required
Types of operations requiring double validation
Mandatory cooling-off period before execution

3. Implement multi-layered injection detection

Simple filters aren't enough. Effective defense combines several approaches:

Encoding analysis: detect and normalize alternative formats before processing
Intent classification: use a secondary model to assess whether a request is legitimate
Anomaly detection: identify requests that deviate from usual patterns
Sandboxing: execute sensitive actions in an isolated environment with rollback capability

4. Separate contexts and roles

The system prompt—the instructions that define AI behavior—should never be accessible or modifiable by the end user. Implement an architecture where:

System instructions are protected and signed
User inputs are treated as untrusted by default
Different privilege levels are technically separated

5. Audit and test regularly

LLM security is a rapidly evolving field. Attacks that fail today may succeed tomorrow after a model update.

Recommended testing program:

Monthly prompt injection tests with known techniques
Quarterly red teaming by external experts
Annual comprehensive audit of the processing chain
Active monitoring of newly published vulnerabilities

Assess the risk level of your current deployments

Before strengthening your defenses, you need to know where you stand. Here's a quick assessment framework.

Critical questions to ask

For each AI deployed in your organization, answer these questions:

What data can the AI access? What is their sensitivity classification?
What actions can the AI trigger? Are they reversible?
Is there human validation before high-impact actions?
Are user inputs filtered and normalized?
Have you tested resistance to prompt injections?
Does a logging system trace all interactions?

Risk levels

Low risk: Read-only AI, no access to sensitive data, interactions logged.

Moderate risk: AI with access to internal data but no action capability, basic filtering in place.

High risk: AI connected to action systems, sensitive data accessible, no systematic human validation.

Critical risk: AI with financial access or access to regulated data, automatic action capability, absence of security testing.

AISOS audits reveal that 67% of enterprise chatbots deployed in 2024 present at least one unmitigated high risk.

Building resilient AI governance

Technical security isn't enough. Lasting protection requires governance adapted to the specificities of generative AI.

Integrate AI security into your ISMS

If you have an Information Security Management System, ISO 27001 or equivalent, extend it to LLM-specific risks:

Add prompt injections to your risk register
Define specific controls for AI deployments
Include AI vendors in your third-party management
Train your teams on emerging threats

Train teams beyond IT

Business users who interact with AI must understand the risks. Basic training should cover:

What a prompt injection is and how to recognize it
Warning signs of abnormal AI behavior
Incident reporting procedures
Best practices for query formulation

Plan incident response

What do you do if your AI is compromised? Define in advance:

Emergency shutdown procedure
Team responsible for crisis management
Internal and external communication plan
Post-incident analysis method

What the Grok hack teaches us about the future of AI security

The Grok incident isn't an anomaly. It's a preview of what cybersecurity will look like in coming years. LLMs are fundamentally different from traditional software: their behavior isn't deterministic, their attack surface evolves with each interaction.

Companies that will thrive in this environment are those that treat AI security as a strategic issue, not as a technical constraint delegated to IT.

The three priorities for 2025-2026:

Inventory: know exactly which AIs are deployed, with what access, for what uses
Protect: implement technical and organizational controls adapted to the risk level
Monitor: detect exploitation attempts and abnormal behaviors in real time

Morse code was invented in 1837. Almost two centuries later, it enables hacking of the most advanced systems. Attackers' creativity has no limits. Neither should your vigilance.

If you'd like to assess the security of your current or planned AI deployments, AISOS teams can support you with a comprehensive audit and implementation of protections adapted to your context.

Grok Hacked Through Morse Code: How to Protect Your Business from AI Vulnerabilities