402bridge private key leaks, 227 wallets drained in minutes

402bridge, the cross-layer protocol that builds upon the AI agent payments system x402, has been hacked, resulting in the theft of $17,000 in USDC from more than 200 victims.

That’s according to crypto analyst PeckShield, which encouraged 402bridge users to revoke their allowances.

Pseudonymous X user “Ye in Web3” claims that after 402bridge’s contract was deployed, the private keys were leaked. They were then used to transfer ownership of the contract and drain users who had previously approved the contract to spend funds.

In just 28 minutes, 227 users were affected.

402bridge added that the private leak led to the compromise of more than a dozen of the team’s test and main wallets.

The protocol previously confirmed that private keys are stored on a server, which may have exposed admin privileges.

Due to this private key leak, more than a dozen of the team’s test and main wallets have also been compromised (ex. screenshot below).

We have promptly reported the incident to law enforcement authorities and will keep the community informed with timely updates as the… pic.twitter.com/AZfgd1yWKG
— 402bridge (@402bridge) October 28, 2025

It said, “If a hacker obtains the private key, they can take over those privileges and reassign user funds to carry out an attack.”

However, Ye in Web3 was also suspicious that the whole affair may be a rug pull coordinated by 402bridge.

Specifically, they questioned the validity of 402bridge’s shared screenshot, and asked why the contract would include a feature allowing the contract owner to drain user funds.

For its part, 402bridge claims to have reported the incident to law enforcement authorities and is in the process of investigating and sharing details about the attack.

The founder of crypto security firm SlowMist, Yu Xian, also claimed that “internal sabotage cannot be ruled out.” One such red flag he highlighted was the fact that 402bridge had already encountered a theft two days after it was registered.

Xian also noted that this doesn’t imply collective wrongdoing by the whole 402bridge team, as “it’s not a typical rugpull.”

According to Xian, “this is the first publicly known theft case related to 402 protocol services.”

What is x402?

x402 is a payment protocol developed earlier this year by Coinbase that would allow AI agents, as well as humans, to pay for services without requiring an account or any authentication.

Similar to the Hypertext Transfer Protocol (HTTP) 404 that appears as an error when content isn’t found, x402 is named after HTTP 402, another error that displays “payment required.”

This HTTP wasn’t widely adopted as it was made to be used in a future where microtransactions or digital cash payments made through browsers are the norm. Coinbase claims to have revived the system.

🚀 Big news 🚀 @coinbase and @cloudflare will be launching the x402 Foundation to establish x402 as the universal standard for AI-driven payments.

Legacy payment systems weren’t built for machines, but x402 changes that by embedding payments directly into web interactions,… pic.twitter.com/Uma0jH2xmn
— Coinbase Developer Platform🛡️ (@CoinbaseDev) September 23, 2025

The use cases of its x402 system include:

API services paid per request
Allowing AI agents to autonomously pay for API access
Paywalls for digital content
Proxy services that aggregate and resell API capabilities
Microservices and tooling monetized via microtransactions

The streamlining of payment services within AI also made ground today when Sam Altman’s OpenAI announced that it had integrated PayPal into its AI software ChatGPT.

Users will be allowed to search for any services or goods through the AI program and use their linked PayPal wallet to make a purchase.

Got a tip? Send us an email securely via Protos Leaks. For more informed news, follow us on X, Bluesky, and Google News, or subscribe to our YouTube channel.