Blockchain investigator ZachXBT accuses Circle of failing to freeze $420 million in illicit USDC since 2022, while the stablecoin issuer blocked legitimate wallets days before the $285 million Drift hack.
Circle, the company behind the $45 billion USDC stablecoin, is facing its most serious credibility crisis since the Silicon Valley Bank scare of March 2023, after blockchain investigator ZachXBT published evidence suggesting the firm has consistently failed to freeze stolen funds while aggressively blocking legitimate wallets. The controversy, which erupted in the wake of the $285 million Drift Protocol exploit on 1 April 2026, has reignited a fundamental debate about the role of centralised issuers in supposedly decentralised financial infrastructure.
The immediate catalyst was the Drift hack itself — the largest DeFi exploit of 2026 and the biggest single theft on Solana to date. After attackers gained control of Drift's Security Council through what the protocol described as a sophisticated social engineering campaign targeting multiple multisig signers, approximately $232 million in USDC was bridged from Solana to Ethereum using Circle's own Cross-Chain Transfer Protocol over a period of several hours during the US business day. Circle did not intervene to freeze the funds at any point during the transfers.
The failure to act might have attracted less attention had it not followed an incident just nine days earlier. On 23 March, Circle froze USDC balances across 16 corporate hot wallets tied to a sealed US civil case, disrupting operations at legitimate exchanges, casinos, and payment processors. The contrast between these two responses — swift action against lawful businesses, inaction during confirmed theft — became the centrepiece of a growing backlash.
How $230 Million in Stolen USDC Moved Unimpeded Through Circle's Own Bridge
According to on-chain data compiled by ZachXBT and independently verified by multiple analysts, the Drift attacker executed more than 100 separate transactions bridging stolen USDC from Solana to Ethereum via Circle's CCTP. The transfers occurred in batches, with funds held in intermediate wallets for between one and three hours before being moved — a pattern that, according to compliance experts, should have triggered automated monitoring alerts.
Circle maintains the technical capability to blacklist addresses in real time. According to Dune Analytics, the company has blacklisted approximately $117 million across 601 wallets since its inception. The infrastructure exists; the question, according to critics, is why it was not deployed. ZachXBT noted that the attacker appeared to deliberately avoid converting stolen funds to USDT, Tether's competing stablecoin, apparently calculating that Circle would be less likely to intervene than its rival.
The six-hour window between the first suspicious transfer and the completion of the bridging operation, ZachXBT argued, provided ample time for Circle to act. The transfers occurred during US business hours, removing any suggestion that the team was unavailable to respond.
A $420 Million Pattern of Inaction Dating Back to 2022
The Drift incident was not an isolated case. In a detailed thread published on 3 April, ZachXBT presented evidence that Circle has declined to freeze or blacklist approximately $420 million in suspicious USDC flows across 15 distinct incidents dating back to 2022. The cases include exploits linked to North Korean state-affiliated hacking groups, bridge compromises, and protocol exploits where stolen USDC was identified and flagged to Circle by investigators and law enforcement contacts.
By contrast, Tether has historically moved more aggressively to freeze assets in response to hack notifications, though it too has faced criticism for inconsistency. According to data from AMLBot, Tether froze assets in response to approximately 73% of major exploit notifications between 2023 and 2025, compared with an estimated 31% response rate from Circle over the same period. The disparity has led some security researchers to route stolen fund recovery efforts through Tether rather than Circle when both stablecoins are involved.
The pattern is particularly notable given Circle's positioning as a compliance-first, regulated issuer. The company has secured a Major Payment Institution licence in Singapore, holds an Electronic Money Institution registration in Europe, and has repeatedly emphasised its commitment to working with law enforcement. According to CoinTelegraph, Circle's failure to act in cases involving sanctioned entities has raised questions about whether its compliance infrastructure matches its regulatory ambitions.
Circle's Legal Defence and the Regulatory Bind
Circle's response to the criticism has been consistent. A company spokesperson told CoinDesk that Circle is 'a regulated company that complies with sanctions, law enforcement orders, and court-mandated requirements. We freeze assets when legally required, consistent with the rule of law and with strong protections for user rights and privacy.' The statement implies that without a formal court order or law enforcement directive, Circle considers unilateral asset freezing to carry unacceptable legal risk.
Legal analysts have offered some support for this position. Freezing assets without judicial authorisation could expose Circle to civil liability from affected wallet holders, particularly if funds are frozen erroneously. In the 23 March incident, the freeze of 16 legitimate wallets — which ZachXBT characterised as potentially the most incompetent freeze action in five years — illustrates the collateral damage that overzealous intervention can produce.
Yet the defence creates its own contradictions. If Circle requires a court order to freeze stolen funds during an active hack, but can freeze legitimate business wallets under a sealed civil case within hours, the practical effect is a system that disadvantages hack victims while remaining responsive to civil litigants. Several DeFi protocols have begun exploring alternatives to USDC exposure as a result, according to governance discussions on Aave and Compound forums.
The Deeper Question: Can Centralised Stablecoins Serve Decentralised Finance?
The controversy has reopened a debate that has simmered since the Tornado Cash sanctions of August 2022, when Circle froze more than 75,000 USDC held by users with ties to the cryptocurrency mixer. The fundamental tension is structural: USDC is a centralised asset — Circle can freeze, blacklist, and seize tokens at will — operating within systems designed to be permissionless and censorship-resistant.
One analyst, writing on X, argued that Circle's refusal to freeze during the Drift hack was 'quite cypherpunk,' suggesting that active intervention undermines the decentralisation principles on which DeFi is built. But this reading is difficult to reconcile with Circle's simultaneous willingness to freeze assets in other contexts. The issue is not centralisation per se, but the inconsistency of its application.
The episode arrives at a sensitive moment for stablecoin regulation. The CLARITY Act, which would establish a comprehensive federal framework for digital asset oversight in the United States, remains stalled in a four-way Congressional deadlock, with the treatment of stablecoin yields as a primary flashpoint. How Congress addresses stablecoin issuer obligations — including whether freeze authority should be mandated, standardised, or curtailed — may ultimately determine whether incidents like the Drift controversy become regulatory precedents or historical footnotes. For now, the $285 million question remains unanswered: who exactly does Circle's freeze power serve?
