In a detailed 18-part thread published on April 3, 2026, renowned on-chain investigator ZachXBT leveled serious allegations against Circle, the U.S.-regulated issuer of the USDC stablecoin. According to the investigation, Circle has allegedly failed to act on over $420 million in stolen or illicit funds across more than 15 major incidents since 2022.
Despite having built-in capabilities to freeze and blacklist wallets, as well as terms of service granting it “sole discretion” to restrict illicit activity, Circle is accused of repeatedly taking delayed or no action. The report raises concerns about systemic compliance lapses at a company positioned as one of the most regulation-forward entities in crypto.
ZachXBT described the thread as “The Circle $USDC Files,” noting that the $420M+ figure reflects only publicly documented cases and is likely an undercount. While critical, he maintained a balanced stance, stating that he still holds USDC and supports the product’s quality. However, he questioned the company’s priorities, emphasizing that a U.S.-regulated public company should be held to a higher standard.
USDC’s Compliance Promise vs. On-Chain Reality
USD Coin (USDC) is a centralized stablecoin pegged 1:1 to the U.S. dollar and widely marketed for its regulatory compliance. Its smart contract includes functionality that allows Circle to freeze or blacklist addresses linked to illicit activity.
However, ZachXBT’s investigation paints a different picture one of repeated delays in responding to hacks, slow action on law enforcement requests, and inaction on funds linked to sanctioned entities, including North Korean actors.
The thread contrasts Circle’s response times with competitors such as Tether, which in many cases acted faster to freeze funds.
Recent High-Profile Incidents
Drift Protocol Hack – April 1, 2026 ($280M+)
The most recent and significant example involves the April 1 exploit of Drift Protocol on Solana. Over $280 million was stolen, including $232M+ in USDC bridged from Solana to Ethereum via Circle’s Cross-Chain Transfer Protocol (CCTP).
The funds moved across 100+ transactions over six hours. Blockchain analytics firm Elliptic linked the attacker to North Korea. Despite the scale and visibility of the exploit, no USDC was frozen.
SwapNet Exploit – January 25, 2026 ($16M)
In this case, $3 million in USDC remained in a freezable address for two days. Law enforcement and private investigators submitted freeze requests, and a victim even obtained a New York court order. However, the funds were moved before action was taken.
Cetus Protocol Exploit – May 22, 2025 ($223M)
Following the hack of Cetus Protocol, attackers bridged $61M in USDC to Ethereum within 90 minutes. Despite immediate requests from the team and external experts, Circle only blacklisted the addresses a month later after the funds had already been converted.
Historical Cases Reveal a Pattern
ZachXBT’s thread outlines a consistent pattern of delayed or absent responses across multiple incidents:
- Mango Markets (Oct 2022 – $110M): $57.5M in USDC moved through Circle-linked addresses without being frozen.
- Nomad Bridge (Aug 2022 – $190M): $45M in USDC remained freezable for up to 45 minutes but was never blocked.
- Ledger Supply Chain Attack (Dec 2023 – $600K+): USDC sat untouched while USDT was frozen.
- GMX Exploit (July 2025 – $40M): $9M in USDC remained accessible for hours.
- Remitano Hack (Sept 2023 – $8.5M): $441K in USDC remained unfrozen while USDT was blocked.
- Radiant Capital Hack (Oct 2024 – $58M): Multiple wallets held USDC without intervention.
In several of these cases, Tether froze USDT holdings in the same wallets within hours, highlighting a stark contrast in response times.
DPRK Links, Sanctions, and Compliance Gaps
A major concern raised in the thread is Circle’s handling of funds linked to North Korean actors and sanctioned entities.
ZachXBT cited multiple cases involving the Lazarus Group and other DPRK-linked operations where Circle either delayed action for months or failed to act entirely. In one instance, it reportedly took Circle 4.5 months longer than other issuers to freeze assets following law enforcement requests.
Additionally, in the case of Garantex, an exchange sanctioned by the U.S. Treasury, Circle allegedly failed to freeze over 200,000 USDC, while competitors acted swiftly.
A Contradiction in Enforcement
ZachXBT also pointed out an apparent contradiction in Circle’s enforcement behavior. While the company has been slow to act in high-profile thefts, it has previously frozen legitimate business wallets in sealed legal cases actions he described as “incompetent.”
This inconsistency raises broader concerns about how Circle prioritizes enforcement decisions and whether its compliance framework is applied effectively.
Industry Implications and Open Questions
In his closing remarks, ZachXBT struck a measured tone:
“Circle builds good products and I hold USDC myself. This isn’t about hoping they collapse.”
However, he emphasized that the scale of inaction potentially affecting hundreds of millions of dollars demands accountability.
The revelations have sparked widespread debate across the crypto ecosystem. Stablecoins like USDC are foundational to DeFi, powering trading, lending, and cross-chain transfers. Failures to act on illicit activity could erode trust, particularly for a company that positions itself as a compliance leader.
At the same time, the ability to freeze funds remains a double-edged sword offering protection against crime while raising concerns about misuse or selective enforcement.
What Comes Next?
As of April 3, 2026, neither Circle nor its CEO Jeremy Allaire has publicly responded to the allegations.
The crypto community is now watching closely for:
- A formal response from Circle
- Potential regulatory scrutiny
- Shifts in user or protocol preference toward faster-acting stablecoin issuers
If ZachXBT’s findings are accurate, the true scale of unaddressed illicit funds may be significantly higher than reported placing increased pressure on Circle to demonstrate proactive and consistent compliance.
Source: This article is based entirely on a public X (Twitter) thread by ZachXBT (Post ID: 2040055757211885953). All figures, timelines, and cases referenced originate from his investigation.
