A bombshell report from on-chain investigator ZachXBT alleges systemic compliance failures at Circle, with over $420 million in suspect USDC transactions linked to major DeFi exploits since 2022. The analysis claims Circle repeatedly failed to utilize its on-chain freezing and blacklist capabilities to halt the flow of stolen funds, raising urgent questions about stablecoin oversight and security protocols.

Alleged Inaction By Circle

Circle’s token contract includes an explicit freeze/blacklist function, and the company’s terms of service reserve the right to restrict access for suspected illicit actors “in its sole discretion.” 

Yet, ZachXBT’s report claims that in many widely reported thefts and hacks, the issuer either delayed action or did not freeze funds at all, allowing attackers to move large sums across blockchains and convert them into other assets.

The report opens with the April 1, 2026, Drift Protocol exploit, in which the attacker drained roughly $280 million. According to ZachXBT, the thief used Circle’s Cross‑Chain Transfer Protocol (CCTP) to bridge more than 232 million USDC from Solana (SOL) to Ethereum (ETH) in over 100 transactions.

The incident had ripple effects across the Solana ecosystem, indirectly impacting more than 10 DeFi projects. Despite the funds moving through Circle’s native bridge for hours, the report says no USDC was frozen during the laundering.

ZachXBT also details a January 25, 2026, attack on SwapNet that resulted in $16 million being stolen. Roughly $3 million in USDC remained in the exploiter’s address for two days. Both law enforcement and private‑sector analysts reportedly submitted temporary freeze requests to Circle for that address, but Circle did not act. 

Nine‑Figure Losses In Crypto Hacks

Among several other cases cited in the report, ZachXBT also points to broader, long‑running patterns. In April 2024, he published a separate investigation into the Lazarus Group laundering that traced funds from more than two dozen hacks being converted to fiat. 

Law enforcement requested freezes from four stablecoin issuers — Circle, Tether, Paxos, and Techteryx — for two addresses tied to that investigation. The report claims the other three issuers acted quickly, while Circle took approximately 4.5 months longer to freeze the same addresses.

Taken together, ZachXBT says these cases — many of them public and high‑value — add up to nine‑figure losses to the crypto ecosystem caused by repeated inaction over a multi‑year period. 

He stresses that the $420 million-plus figure covers only major public incidents and that the true total could be substantially higher. The overarching claim is that Circle possesses the contractual and technical tools to intervene, yet has not used them consistently or promptly, with concrete harm to victims and the broader community.

“They have every tool and resource available to do better. They just haven’t,” he writes, closing his report with a pointed question: who, exactly, is Circle serving?

Featured image from OpenArt, chart from TradingView.com