402Bridge, a recently launched cross-chain payments project, has fallen victim to a hack that drained roughly $17,000 in USDC from user wallets. Blockchain security firm PeckShieldAlert flagged the exploit—which affected over 200 users—just days after the platform’s debut and the rollout of its x402 payment protocol. The incident has renewed concerns over how decentralised projects handle private key management and user transaction security.
According to PeckShieldAlert, the exploit involved a compromised admin address, urging users to immediately revoke any active approvals linked to the wallet “0xed…9FC5.” In a post on X, the firm confirmed that about $17,000 in USDC had been stolen and warned users against further engagement with the compromised address.
402Bridge’s team later attributed the attack to a critical design flaw within its backend system. The project’s architecture required users to sign or approve transactions through a web interface that sent requests to a central server. This server, in turn, used an admin private key to interact with smart contracts—an arrangement that left sensitive credentials exposed to potential network breaches. When the attacker accessed the admin key, they were able to drain funds directly from users’ wallets.
SlowMist founder Cos detailed that the hacker, operating through the wallet address “0x2b8F,” withdrew approximately $17,693 in USDC, swapped the funds for about 4.2 ETH, and transferred the assets to Arbitrum in a series of small, obfuscated transactions. This laundering pattern has made tracking or recovering the stolen funds nearly impossible.
Following the breach, Web3 security company GoPlus Security issued warnings urging users to revoke any lingering approvals associated with 402Bridge. The company emphasised the importance of verifying official contract addresses and limiting transaction permissions. Industry experts echoed the message, noting that while decentralised systems offer flexibility, poorly implemented key management mechanisms can expose even cautious users to devastating losses.
The timing of the hack is particularly unfortunate for 402Bridge, which had just gained attention for pioneering instant crypto payments through the HTTP 402 system. In the week ending October 20, 2025, the protocol processed more than 932,000 transactions, reflecting significant early adoption before the exploit halted its momentum.
This incident underscores a broader challenge in the Web3 ecosystem: balancing speed and convenience with strong security. As decentralised applications continue to innovate, the 402Bridge exploit serves as a cautionary tale on the necessity of isolating private keys and reinforcing backend security practices to protect both projects and their users.
