A new report from on-chain investigator ZachXBT is putting Circle under intense scrutiny, alleging more than $420 million in compliance failures tied to its flagship stablecoin, USDC, since 2022.
Dubbed the “Circle USDC files,” the report outlines a pattern of delayed or absent intervention in cases involving hacked or illicit funds. While other stablecoin issuers acted swiftly to freeze assets in similar scenarios, Circle is accused of repeatedly failing to act in time, even when given clear signals or direct requests from law enforcement and private investigators.
USDC, which is pegged 1:1 to the US dollar, is widely marketed as a regulated and compliant stablecoin. Its smart contract includes a freeze and blacklist function, and its terms explicitly state that Circle reserves the right to restrict access to funds linked to illicit activity. However, the report raises a critical question: why were these tools not used more effectively?
One of the most recent and high-profile cases cited in the report is the April 1, 2026 exploit of Drift Protocol, which resulted in losses of approximately $280 million.
During the attack, the exploiter bridged more than $232 million in USDC from Solana to Ethereum using Circle’s Cross-Chain Transfer Protocol (CCTP). The transactions were spread across more than 100 transfers over a six-hour period, yet no freeze action was taken during that time.
The lack of response is particularly striking given the scale and visibility of the exploit. Multiple DeFi protocols across Solana were indirectly impacted, and the attacker’s activity was unfolding in real time on-chain.
Subsequent analysis by Elliptic linked the attacker to North Korean state actors, further raising the stakes around compliance and enforcement.
Despite these red flags, the funds continued moving freely through Circle’s infrastructure without interruption.
Beyond the Drift incident, the report compiles a series of past exploits that point to a recurring pattern.
In January 2026, the SwapNet exploit saw $3 million in USDC sit untouched in an attacker’s wallet for two days. Despite freeze requests from both law enforcement and private sector experts, no action was taken. A victim even pursued a New York court order, but the funds were moved just hours before it was granted.
Similarly, during the May 2025 Cetus Protocol exploit, $61 million in USDC was bridged across chains within 90 minutes. Although Circle eventually blacklisted the address, it did so a month later, long after the funds had already been converted into ETH.
Earlier cases further reinforce the trend. The 2022 Mango Markets exploit involved $57.5 million in USDC moving through Circle-linked addresses without being frozen. In the same year, the Nomad Bridge hack left approximately $45 million in USDC sitting in exploiter wallets for up to 45 minutes, again without any blacklist action.
These repeated delays, according to the report, contributed to significant financial losses that might have been mitigated with faster intervention.
A key theme running through the findings is the contrast between Circle and other stablecoin issuers.
In multiple incidents, competitors such as Tether acted more decisively. For example, during the December 2023 Ledger supply chain attack, stolen USDT was frozen within hours, while USDC in the same address remained untouched for over three hours.
In the Remitano hack of September 2023, Tether froze $1.4 million in USDT, while $441,000 in USDC sat idle for eight hours. Similar patterns were observed in the GMX exploit and other cases where USDC remained accessible despite clear signs of illicit activity.
Even in coordinated law enforcement actions, delays were noted. Following a broader investigation into illicit fund flows linked to North Korean operations, multiple issuers were asked to freeze specific addresses. While others responded promptly, Circle reportedly took an additional 4.5 months to act.
These discrepancies are raising questions about operational efficiency, internal processes, and prioritization within Circle’s compliance framework.
The report also highlights cases where USDC flowed through addresses linked to known illicit networks without being flagged or frozen.
Between 2022 and 2025, funds were reportedly routed through addresses associated with North Korean IT worker payment clusters, accounts that were just a few hops away from previously blacklisted wallets. Despite this proximity, no action was taken to restrict these addresses.
In another case tied to a U.S. Department of Justice investigation, over $1.7 million in USDC linked to a large-scale fraud operation moved through intermediary wallets into Circle deposit addresses without interruption.
Even in high-profile incidents like the Bybit hack in February 2025, where law enforcement submitted freeze requests, Circle’s response lagged behind competitors by roughly 24 hours.
Individually, these delays may appear minor. Collectively, they paint a picture of systemic gaps in enforcement.
Despite the criticism, the report acknowledges that Circle remains a major player in the crypto ecosystem and continues to build widely used financial infrastructure.
However, the findings suggest that its compliance decisions have had real-world consequences. According to the report, more than nine figures have been lost across the ecosystem due to delayed or missed freeze actions, figures that only account for publicly known cases.
As a U.S.-regulated company headquartered in New York, Circle operates under strict financial oversight. This status brings both credibility and responsibility, particularly when it comes to preventing the movement of illicit funds.
The report ultimately leaves the industry with a pressing question: who is Circle serving when its enforcement tools go unused during critical moments?
With increasing regulatory scrutiny and rising expectations around security, the pressure is now on Circle to demonstrate that its compliance systems can match the scale and importance of its role in global crypto markets.
Disclosure: This is not trading or investment advice. Always do your research before buying any cryptocurrency or investing in any services.
Follow us on Twitter @themerklehash to stay updated with the latest Crypto, NFT, AI, Cybersecurity, and Metaverse news!
The Ethereum Foundation is making a noticeable shift in how it manages its ETH holdings,…
Polymarket has quietly entered a new phase, and it’s already starting to show in the…
YZi Labs, alongside Susquehanna Crypto, has made a fresh strategic move into the prediction market…
Circle is taking a significant step toward reshaping how Bitcoin interacts with decentralized finance. The…
Public companies quietly stepped up their Bitcoin accumulation in March 2026, adding a significant amount…
Deepcoin is stepping into a new direction with its latest move, announcing a partnership with…