Blockchain investigator ZachXBT has accused Circle of failing to act quickly enough in a string of crypto theft cases tied to USDC since 2022.
In a thread shared on X on Friday, ZachXBT claimed the stablecoin issuer recorded more than $420 million in alleged compliance lapses across at least 15 public incidents.
His main argument focused on timing. ZachXBT said Circle had the power to restrict or blacklist wallets linked to stolen funds, yet in several cases, large amounts of USDC moved across chains or into other assets before any action came.
ZachXBT says Circle missed repeated chances to act
ZachXBT wrote, “Welcome to the Circle $USDC files.” He stated that the total covered “alleged compliance failures since 2022” and referred to events where stolen funds remained active long enough to be moved or swapped out.
He argued that the issue was not whether Circle had the tools to respond. He pointed to the freeze and blacklist features built into USDC and noted that the company’s terms state it may restrict access for suspected illicit actors “in its sole discretion.”
According to ZachXBT, some wallets held freezable USDC for hours, days, or even longer without intervention. According to him, that happened even after requests came from victims, investigators, law enforcement, or affected crypto teams.
He made clear that his criticism was not aimed at attacking the company as a whole. In one post, he wrote, “Circle builds good products and I hold USDC myself.” He then argued that the firm’s response record had still caused real losses for users and the wider market.
Circle is based in the U.S., operates from New York City, and falls under federal and state financial rules.
Drift, SwapNet, and Cetus drew the most attention
Much of the latest attention centered on the April 1 exploit involving Drift Protocol. ZachXBT said the attacker bridged more than $232 million in USDC from Solana to Ethereum through Circle’s Cross-Chain Transfer Protocol, or CCTP, using more than 100 transfers over six hours.
The researcher stated that no freeze took place during that stretch, even though the funds moved through Circle’s own infrastructure.
In a follow-up post on X, ZachXBT said that the attacker had been linked to North Korea by Elliptic and argued that Circle had enough time to step in before the funds moved further.
The January 2026 SwapNet exploit also featured in his claims. ZachXBT mentioned that $3 million in USDC stayed in the exploiter’s wallet for two days.
He added that law enforcement and private sector experts sent temporary freeze requests, but the assets moved before a court order arrived.
Another example came from the May 2025 hack of Cetus Protocol. The attacker bridged $61 million in USDC from Sui to Ethereum in more than 60 transfers over about 90 minutes. Circle blacklisted the wallet about a month later, after the USDC had already been converted into Ether.
These incidents formed the core of his argument because they involved large sums, visible movement, and enough time, in his view, for a centralized issuer to respond. He used them to support his claim that delayed action had become a repeated issue.
Older hacks added to the criticism
ZachXBT also referred to earlier exploits that he said followed a similar path. He said funds tied to the October 2022 Mango Markets attack were never blocked, even after $57.5 million moved through a Circle deposit wallet on Solana and later crossed to Ethereum.
He also cited the August 2022 Nomad Bridge exploit. In that case, he argued that about $45 million in USDC sat in three exploiter wallets for roughly 30 to 45 minutes before being swapped out. According to his post, those wallets were never blacklisted by Circle.
The December 2023 Ledger Connect Kit attack appeared in the list as well. ZachXBT said USDC remained in the theft wallet for more than three hours without action, while Tether froze USDT held in the same wallet.
He made a similar comparison in the September 2023 Remitano hack, where 441,000 USDC remained untouched for eight hours while Tether froze $1.4 million in USDT tied to the same event.
Naming the other cases from 2024 and 2025, the researcher mentioned the July 2025 GMX exploit, where $9 million in USDC sat for more than two hours and was partly bridged through CCTP, and the October 2024 Radiant Capital hack, where several theft wallets allegedly held USDC for hours without a blacklist order.
The list extended beyond hack proceeds alone. ZachXBT pointed to research he published on DPRK-linked IT workers and noted that Circle users withdrew USDC to three payment wallets in that network between October 2022 and January 2025. He mentioned that those wallets were never blacklisted.
He also mentioned the March 2025 seizure of Garantex infrastructure. According to his post, Circle took no action on more than 200,000 USDC in connected wallets, while Tether froze $22 million in related USDT.
Circle faces fresh scrutiny
The allegations surfaced at a sensitive time for Circle. The company recently announced cirBTC, a wrapped Bitcoin token built for institutional users. That launch marked a broader move beyond its core stablecoin business and placed more attention on how Circle handles compliance and risk controls.
That timing matters because Circle presents itself as a regulated crypto infrastructure provider with products built for payments, transfers, and settlement.
ZachXBT’s criticism centered on a direct question: if a centralized issuer can freeze funds, should it act faster when stolen USDC moves in plain sight across onchain routes?
He returned to that point near the end of his X post series, where he asked, “who is Circle actually serving?” He wrote that a US-regulated public company should do more for users and for the wider crypto market.
He also compared Circle’s response times with those of other stablecoin issuers. Referring to his 2024 Lazarus Group report, ZachXBT said law enforcement sent freeze requests to Circle, Tether, Paxos, and Techteryx for two wallets.
He said the other three issuers acted sooner, while Circle took about four and a half months longer to freeze both wallets.
He made a similar comparison in relation to the February 2025 Bybit hack. ZachXBT said Tether froze connected funds within hours, while Circle acted about 24 hours later on linked USDC.
Earlier this year, research-focused crypto investment firm Paradigm brought ZachXBT on as an incident response adviser.