Circle Faces Heat From ZachXBT Over Inaction

Blockchain investigator ZachXBT has publicly accused Circle of failing to freeze stolen USDC as it moved through the company’s own cross-chain infrastructure during the $285 million Drift Protocol exploit on April 1, 2026 — raising pointed questions about when and why the stablecoin issuer chooses to exercise its freeze authority.

The April 1 attack on Drift, a Solana-based decentralized perpetuals exchange, was flagged by security firm PeckShield. Using a manipulated oracle and compromised admin key, the attacker drained Drift’s main vault in approximately 12 minutes, according to blockchain analytics firm Arkham. Drift’s total value locked fell from roughly $550 million to under $300 million within an hour. The DRIFT token dropped more than 40%. Over ten additional Solana protocols reported disruption.

After converting most of the stolen assets to USDC, the attacker used Circle’s Cross-Chain Transfer Protocol (CCTP) to bridge approximately $232 million from Solana to Ethereum across more than 100 transactions — over six consecutive hours during U.S. business hours.

“Circle was asleep while many millions of USDC were swapped via CCTP from Solana to Ethereum for hours from the 9-figure Drift hack during US hours,” ZachXBT wrote on X.

The criticism cuts sharper given the timing. Just nine days earlier, on March 23, Circle froze USDC across 16 unrelated business hot wallets — including one belonging to the DFINITY Foundation — as part of a sealed U.S. civil case. ZachXBT called that freeze “potentially the single most incompetent” action he had witnessed in five years of on-chain investigations.

The contrast — aggressive action against legitimate businesses, inaction during a confirmed nine-figure exploit transiting Circle’s own bridge — has reignited debate over how centralized stablecoin governance actually works in practice. Security researcher Specter noted the attacker deliberately avoided converting funds to Tether’s USDT, appearing confident Circle would not intervene.

Circle’s Defense

Circle responded: “Circle is a regulated company that complies with sanctions, law enforcement orders, and court-mandated requirements. We freeze assets when legally required, consistent with the rule of law and with strong protections for user rights and privacy.”

Salman Banei, general counsel at Plume, warned that freezing assets without authorization could expose Circle to legal liability. Ben Levit, CEO of stablecoin ratings agency Bluechip, described the situation as “a gray area,” noting this was an oracle exploit rather than a clean hack. Blockchain analytics firm Elliptic identified multiple indicators suggesting North Korean hackers were responsible for the Drift exploit.

As crypto hack losses had moderated significantly in the months preceding this incident, the $285 million Drift hack marks a stark reversal — and the Circle debate it has sparked may have lasting implications for how the broader stablecoin regulatory framework is written, particularly around freeze authority and issuer accountability.