A review of the 402Bridge attack: What are other cases of theft caused by private key leaks?

Deng Tong, Jinse Finance

On October 28, 2025, the GoPlus Chinese community issued a security alert: the x402 cross-chain protocol @402bridge is suspected of being hacked, resulting in the loss of USDC assets for more than 200 users.

This article reviews the 402Bridge cross-chain protocol hack, the official and community responses, analyzes the cause of the theft, and other cases where private key leaks led to hacker attacks.

1. Reconstruction of the Hack and Official & Community Responses

In the early morning, the official 402Bridge X account posted: According to community feedback, a token theft incident has occurred. Our technical team is currently investigating the entire process. We advise all users to immediately revoke all existing authorizations and transfer assets out of their wallets as soon as possible.

Subsequently, the official account continued: The x402 mechanism requires users to sign or approve transactions via the web interface, which are then sent to the backend server. The backend server extracts funds and executes minting, finally returning the result to the user. When we join, we need to store the private key on the server to call contract methods. This step may expose admin privileges, as the admin private key is connected to the internet at this stage, potentially leading to privilege leaks. If a hacker obtains the private key, they can take over these privileges and reallocate user funds to carry out attacks. We are still investigating the specific details of the attack.

Two hours ago, the official account pointed out: Due to this private key leak, more than a dozen test wallets and the main wallet of the team were also compromised (as shown in the image below). We have immediately reported the matter to law enforcement and will keep the community updated on the latest developments.

The GoPlus Chinese community reconstructed the hack as follows:

The creator of contract 0xed1AFc4DCfb39b9ab9d67f3f7f7d02803cEA9FC5 transferred the owner to 0x2b8F95560b5f1d1a439dd4d150b28FAE2B6B361F, after which the new owner called the transferUserToken method in the contract to transfer all remaining USDC from authorized user wallets.

Before minting, users had to authorize USDC to the @402bridge contract, resulting in over 200 users losing their remaining USDC due to excessive authorization. 0x2b8F95560b5f1d1a439dd4d150b28FAE2B6B361F transferred a total of 17,693 USDC from users, then swapped the USDC for ETH and bridged it to Arbitrum through multiple cross-chain transactions.

GoPlus security recommendations:

1. Users who have participated in this project, please revoke (0xed1AFc4DCfb39b9ab9d67f3f7f7d02803cEA9FC5) related authorizations as soon as possible;

2. Before authorizing, check whether the authorization address is the official address of the project you are interacting with; 

3. Only authorize the required amount, never authorize unlimited amounts;

4. Regularly check authorizations and revoke unnecessary ones.

X user @EamonSol pointed out: Many current x402s are actually deploying a service that forwards on-chain interactions to the project party's server, which then interacts with the blockchain to distribute tokens. This process definitely requires storing the on-chain contract's private key on the server. Once the project party's server is breached, all addresses related to the contract are exposed to risk.

X user @fenzlabs pointed out: This case highlights the dangers of unlimited token approvals. Wallets and AI agents need stricter limits and better monitoring to prevent these rapidly occurring thefts. Never blindly trust new contracts—always check carefully before signing!

2. Cause of the Hack

According to SlowMist's Cosine, the attack on the 402Bridge cross-chain project was caused by a private key leak, and the possibility of an inside job cannot be ruled out. The 402bridge.fun domain was registered for only two days before ceasing service, and the stolen funds have not shown further movement. This is the first publicly reported security incident related to the 402 protocol. Cosine from SlowMist stated that this incident is not a typical case of collective wrongdoing by the project team.

 "Not a collective wrongdoing by the project team" means the attack is more likely due to internal security management failure or a precise external hacker infiltration, rather than deliberate fraud by the project team.

3. Other Cases of Private Key Leaks Leading to Hacker Attacks

1. Nomad 

In August 2022, Nomad Bridge was hacked, with nearly $200 million stolen from the cross-chain bridge. After the hack, Moonbeam blocked anyone from trading or interacting with smart contracts. The core reason for the attack was a contract verification mechanism error, which allowed the private key or permission signature logic to be easily forged.

2. Ankr 

In December 2022, Ankr node private keys were leaked, attackers forged contracts and minted unlimited aBNBc tokens, causing about $5 million in losses. Ankr's response: restored security and cooperated with DEXs to halt trading; formulated and implemented a comprehensive compensation plan for the community; identified the cause as a former employee. Ankr officially confirmed the hack was due to "deployment key theft."

3. Platypus Finance

In February 2023, attackers exploited an admin private key vulnerability to attack the stablecoin pool, stealing about $9 million USDC. The team later recovered some assets and stated that "the development private key was likely compromised by an external intrusion."

4. Multichain

In July 2023, a core member of the Multichain team "went missing," and the project's main control private key was suspected to be held by a single individual. Subsequently, about $126 million in assets were transferred out, making it one of the largest privilege-related attacks in cross-chain bridge history.

5. Exactly Protocol

In April 2024, attackers used a deployment private key leaked from the frontend server to replace contracts and steal about $7.3 million. The incident exposed the industry's widespread issues with private key custody and DevOps process security.

6. UXLINK 

In September 2025, Cyvers' security system detected a suspicious transaction involving $11.3 million related to UXLINK, which was eventually confirmed as theft. SlowMist's Cosine pointed out: it is highly likely that several private keys related to UXLINK's Safe multisig were leaked. The theft directly caused the price of the UXLINK token to plummet by more than 70%.