ZachXBT Investigation Report: Circle Repeatedly Neglected Compliance Efforts, Involving Over $420 Million
BlockBeats News, April 3rd - On-chain detective ZachXBT released an investigation report on Circle, stating that since 2022, the company has shown "weak compliance enforcement" in multiple incidents involving illicit funds, involving a total amount exceeding $420 million. The report pointed out that Circle, as the issuer of USDC, has always been known for its regulatory compliance and sound compliance system. Its token contract also has the function of freezing and blacklisting addresses, and reserves the right to restrict suspicious accounts in its terms of service. However, in several major security incidents, these mechanisms were not timely or effectively utilized.
The report specifically mentioned the attack on Drift Protocol on April 1, 2026, where about $280 million in assets were stolen. The attacker used Circle's proprietary cross-chain bridge CCTP to transfer over 232 million USDC from Solana to Ethereum within 6 hours, with no assets being frozen during this process. Similar situations also occurred in other attack events such as SwapNet, Cetus Protocol, and Mango Markets, where in some cases, despite law enforcement and industry expert freeze requests, Circle did not take timely action, even processing after the assets had been moved.
Furthermore, the report also pointed out that in a money laundering investigation involving the hacker group Lazarus Group, Circle showed a significant delay in response compared to other stablecoin issuers (such as Tether, Paxos, etc.). In some cases, the freezing operation was delayed for several months. Similar delays were also observed in the Ledger supply chain attack and the GMX attack event, where USDC remained in suspicious addresses for hours or even longer without being frozen.
In the report, ZachXBT stated that this disclosure does not negate the value of Circle's products or stablecoins themselves, but emphasizes that its decisions on compliance enforcement have caused "real and significant losses" to the industry. He pointed out that in the past three years, due to multiple instances of delayed action, the DeFi ecosystem has accumulated losses in the nine-figure range, and the $420 million is only a conservative estimate from publicly known cases, with the actual scale potentially being higher.
