A new report from on-chain investigator ZachXBT puts Circle under intense scrutiny, alleging more than $420 million in compliance failures linked to its flagship stablecoin, USDC, since 2022.
The report, called “Circle USDC files,” identifies a pattern of delayed or absent intervention in cases involving hacked or illicit funds. While other stablecoin issuers have acted quickly to freeze assets in similar scenarios, Circle is accused of repeatedly failing to act in a timely manner, even when given clear signals or direct requests from law enforcement and private investigators.
1/ Welcome to the department USD/USD Files.
Over $420 million in alleged compliance failures since 2022, including fifteen cases of a US-regulated stablecoin issuer taking minimal action against illicit funds. pic.twitter.com/OiWZz5MrVM
– ZackXPT (@ZackXPT) April 3, 2026
USDC, which is pegged to the US dollar at a 1:1 ratio, is widely marketed as a regulated and compliant stablecoin. Its smart contract includes a freeze and blacklist function, and its terms explicitly state that Circle reserves the right to restrict access to funds associated with illicit activity. However, the report raises a critical question: Why are these tools not being used more effectively?
Exploiting Drift highlights a six-hour window of inaction
One of the most recent and notable cases mentioned in the report is the Drift Protocol exploit on April 1, 2026, which resulted in losses estimated at approximately $280 million.
During the attack, the exploiter siphoned over $232 million worth of USDC from Solana to Ethereum using Circle’s Cross-Chain Transfer Protocol (CCTP). The transactions were spread across more than 100 transfers over a six-hour period, however no freezing action was taken during that period.
The lack of response is particularly striking given the scale and visibility of the exploitation. Multiple DeFi protocols across Solana were indirectly affected, and the attacker’s activity was unfolding in real-time on-chain.
Subsequent analysis by Elliptic linked the attacker to state actors in North Korea, raising compliance and enforcement risks.
Despite these red flags, funds continued to move freely through Circle’s infrastructure without interruption.
Historical cases reveal a pattern of delayed response
Beyond the Drift incident, the report compiles a series of previous vulnerabilities that point to a recurring pattern.
In January 2026, a SwapNet exploit saw $3 million in USDC remain untouched in the attacker’s wallet for two days. Despite freeze requests from law enforcement and private sector experts, no action has been taken. One victim even sought a court order in New York, but the money was transferred only hours before the order was issued.
Likewise, during the Cetus Protocol exploit in May 2025, $61 million in USDC was transferred cross-chain within 90 minutes. Although Circle eventually blacklisted the address, it did so a month later, long after the funds had actually been transferred to Ethereum.
Previous cases further reinforce this trend. The 2022 Mango Markets exploit involved moving $57.5 million USDC via addresses linked to the circuit without freezing it. In the same year, the Nomad Bridge hack left approximately $45 million USD in USDC wallets for up to 45 minutes, again without any blacklisting action.
According to the report, these repeated delays contributed to significant financial losses that could have been mitigated with quicker intervention.
Other issuers act more quickly in similar situations
The main theme running through the results is the contrast between Circle and other stablecoin issuers.
In multiple incidents, competitors like Tether have acted more decisively. For example, during the Ledger supply chain attack in December 2023, the stolen USDT was frozen within hours, while the USDC remained at the same address unchanged for more than three hours.
In the September 2023 Remitano hack, Tether froze $1.4 million in USDT, while $441,000 in USDC remained idle for eight hours. Similar patterns were observed in the GMX exploit and other cases where USDC remained available despite clear signs of illicit activity.
Even in coordinated law enforcement actions, delays were observed. Following a broader investigation into illicit money flows linked to North Korean operations, several issuers were asked to freeze specific addresses. While others responded quickly, Circle reportedly took an additional 4.5 months to act.
These inconsistencies raise questions about operational efficiency, internal processes, and prioritization within Circle’s compliance framework.
Links to illicit networks and government actors continue
The report also highlights instances where USDC flowed through addresses linked to known illicit networks without being reported or blocked.
Between 2022 and 2025, funds were reported to be routed through addresses linked to payment groups for North Korean IT workers, accounts that were just a few steps away from previously blacklisted wallets. Despite this proximity, no action has been taken to restrict these addresses.
In another case linked to the US Department of Justice investigation, more than $1.7 million in USDC linked to a large-scale fraud was transferred via intermediary wallets to Circle deposit addresses without interruption.
Even in high-profile incidents like the Bybit hack in February 2025, where law enforcement filed freeze requests, Circle’s response lagged behind competitors by about 24 hours.
Individually, these delays may seem minor. Collectively they paint a picture of systemic gaps in implementation.
Increased pressure on the department to enhance oversight
Despite the criticism, the report acknowledges that Circle remains a major player in the cryptocurrency ecosystem and continues to build a widely used financial infrastructure.
However, the results suggest that compliance decisions had real-world consequences. According to the report, more than nine figures were lost across the ecosystem due to late or missing freeze actions, figures that only represent publicly known cases.
As a US regulated company headquartered in New York, Circle operates under strict financial oversight. This status brings credibility and responsibility, especially when it comes to preventing the movement of illicit funds.
The report ultimately leaves the industry with a pressing question: Who is Circle serving when its enforcement tools are not used during critical moments?
With increased regulatory scrutiny and rising expectations around security, the pressure is now on Circle to prove that its compliance systems can match the scale and importance of its role in global cryptocurrency markets.
Disclosure: This is not trading or investment advice. Always do your research before purchasing any cryptocurrency or investing in any services.
Follow us on Twitter @themerklehash To stay up to date on the latest Crypto, NFT, AI, Cybersecurity, and Metaverse news!
