Circle Accused of $420M USDC Compliance Failures Across 15 Exploit Cases

Blockchain investigator ZachXBT has published a detailed thread accusing Circle of failing to freeze or blacklist approximately $420 million in illicit USDC flows across 15 separate incidents since 2022. The allegations arrived in the immediate aftermath of the Drift Protocol exploit, now confirmed as the largest DeFi hack of 2026, in which attackers extracted roughly $285 million from the Solana-based perpetuals exchange. Circle’s response, or more precisely the absence of one during the attack, has crystallised a tension the industry has long preferred to leave unresolved.

What the Drift Exploit Revealed About USDC Enforcement

The mechanics of the Drift attack were methodical and unhurried. According to ZachXBT, the exploiters bridged approximately $232 million in USDC from Solana to Ethereum using Circle’s own Cross-Chain Transfer Protocol (CCTP), executing more than 100 transactions over a six-hour window. Blockchain analytics firm Elliptic has identified indicators suggesting links to North Korea, adding a geopolitical dimension that makes the absence of intervention harder to dismiss as a routine compliance gap. The attackers held stolen USDC across multiple wallets for one to three hours before initiating the cross-chain transfers, a timeline that gave Circle’s New York-based team ample opportunity to act during standard business hours.

ZachXBT’s framing was pointed: “Despite the attacker laundering funds over six consecutive hours across Circle’s own native bridge, no USDC was frozen.” He went further, questioning the commercial rationale for building on USDC at all: “Why should crypto businesses continue to build on Circle when a project with nine-figure TVL could not get support during a major incident?” These are questions that deserve direct answers, not policy recitations.

Market OverviewTop 10 by market cap

1Bitcoin BTC$77,253.00▲1.44%

2Ethereum ETH$2,107.85▲1.87%

3Tether USDT$0.9991▲0.03%

4BNB BNB$661.36▲1.72%

5XRP XRP$1.35▲1.36%

6USDC USDC$0.9998▲0.01%

7Solana SOL$85.32▲1.47%

8TRON TRX$0.3714▲1.93%

9Figure Heloc FIGR_HELOC$1.03▲0.00%

10Dogecoin DOGE$0.1023▲1.42%

Prices via CoinGecko · Updated 4 min ago

A Pattern Across Three Years, Not an Isolated Incident

ZachXBT’s thread catalogued two particularly telling cases beyond Drift. In the July 2025 GMX exchange breach, Circle allegedly declined to freeze $9 million in USDC. In the May 2025 Cetus Protocol exploit, valued at $223 million, the attacker bridged 61 million USDC from Sui to Ethereum within 90 minutes. Both the Cetus team and independent security experts contacted Circle requesting a freeze on the theft address. Circle blacklisted the address one month later, by which point the stolen USDC had already been converted into Ether and the window for recovery had closed entirely.

ZachXBT was explicit that the $420 million figure represents only the publicly documented cases: “The real figure is likely significantly higher.” That qualifier matters. If the most prominent, well-documented exploits are the ones that generate requests and still receive delayed or no response, the total exposure across smaller, less-publicised incidents could be substantially larger. This is not a compliance framework operating at the margins; it is one that appears to leave meaningful capital consistently unprotected.

The Civil Freeze Contrast That Sharpened the Criticism

The timing of the Drift attack deepened the controversy in a way that raw numbers alone cannot. On March 23, Circle froze the USDC balances of 16 unrelated corporate hot wallets, disrupting legitimate exchanges, casinos, and payment processors in connection with a civil dispute. ZachXBT previously described that action as “potentially the single most incompetent” freeze he had witnessed in five years of on-chain investigation. The juxtaposition is stark: aggressive, rapid intervention against lawful businesses on civil grounds, combined with apparent inaction during a confirmed nine-figure theft transiting Circle’s own bridge infrastructure.

This inconsistency is the sharpest part of the critique, and it is the one Circle has not directly answered. Dune Analytics data shows that Circle has blacklisted roughly $117 million across 601 wallets in total, confirming the capability is real and operational. The question is not whether Circle can freeze assets; it demonstrably can. The question is what triggers that decision, and whether the current trigger mechanism is fit for purpose at the scale USDC now operates.

Circle’s Legal Defence and Its Limits

Circle’s position is coherent on its own terms. A company spokesperson stated: “Circle is a regulated company that complies with sanctions, law enforcement orders, and court-mandated requirements. We freeze assets when legally required, consistent with the rule of law and with strong protections for user rights and privacy.” Salman Banei, general counsel at tokenized asset platform Plume, backed this stance, noting that unilateral freezes without legal authorisation could expose issuers to significant litigation risk. That is a legitimate structural concern, not a deflection.

Ben Levit, head of stablecoin evaluation firm Bluechip, added further nuance around the Drift incident specifically, characterising it as involving market and oracle manipulation rather than a conventional theft: “Any action by Circle becomes a judgment call, not just a compliance decision.” That framing applies more cleanly to Drift than to the GMX breach or the Cetus exploit, where the theft nature of the incident was unambiguous and external requests for intervention were made and documented. Circle’s legal framework may be defensible in edge cases; it is much harder to defend in cases where the facts were clear and the requests were explicit.

It is also worth noting that Circle has not been entirely passive. The company froze USDC tied to Tornado Cash wallets sanctioned by US authorities in 2022 and explored “reversible” USDC functionality in September 2025, a mechanism that could allow transaction rollbacks in theft scenarios. These are genuine steps, but they do not address the core operational gap: the speed and criteria by which Circle responds to active, real-time exploits before funds are already laundered and converted.

Who Bears the Cost of This Governance Gap

The clearest losers here are the protocols and their users. Over ten DeFi protocols on Solana suffered indirect losses from the Drift exploit alone. The victims of the GMX breach lost $9 million that ZachXBT alleges Circle could have frozen. The Cetus Protocol community watched $61 million in USDC bridge to Ethereum and convert to ETH before a blacklist was applied. These are not abstract systemic risks; they are measurable, attributed losses sustained by identifiable participants in the ecosystem.

Circle, paradoxically, also loses in a reputational sense that will carry commercial weight. With over $77 billion in USDC circulating supply, the stablecoin’s institutional adoption case rests heavily on its regulatory credibility. Circle’s recent freeze controversy has already drawn scrutiny from partners and regulators. A documented pattern of delayed enforcement against illicit flows, combined with rapid action against legitimate businesses, inverts the compliance narrative that Circle has built its brand around. Institutional treasuries and payment processors evaluating USDC against competing stablecoins will notice.

The attacker’s deliberate avoidance of Tether’s USDT during the Drift exploit is itself a data point. USDT is the largest stablecoin by market capitalisation, and Tether is widely known for rapid blacklisting of malicious actors. The choice to hold and bridge exclusively in USDC suggests that sophisticated threat actors have already modelled Circle’s intervention threshold and found it acceptable. That calculation, more than any individual allegation in ZachXBT’s thread, is the most consequential signal for builders and institutions assessing infrastructure risk.

What a Credible Path Forward Requires

The legal constraint Circle cites is real, but it is not immovable. Banei himself called for legislators to establish legal protections enabling issuers to respond more rapidly in unambiguous theft scenarios. That is exactly the right framing. The infrastructure for intervention exists; what is missing is a legal safe harbour that allows a regulated issuer to act within a narrow, well-defined window without assuming unlimited litigation exposure. Building that framework, in coordination with US regulators and law enforcement, is achievable and necessary.

Circle has previously demonstrated that it can move quickly when legal authority is clearly established, as the Tornado Cash freezes showed. The challenge is compressing the gap between a confirmed exploit and legal authorisation, a gap that currently runs from hours to months and consistently allows stolen funds to exit the system. That is an engineering problem, a regulatory problem, and a coordination problem simultaneously, none of which are unsolvable. The technology for reversible transactions is already under development internally. The missing piece is the institutional will, and the regulatory clarity, to deploy it. The ecosystem is large enough and mature enough to demand both from one of its most systemically important infrastructure providers.