ZachXBT faults Circle as $232M USDC crosses after Drift hack

Blockchain investigator ZachXBT accused Circle of failing to freeze about $232 million in stolen USDC that moved from Solana to Ethereum through Circle’s Cross-Chain Transfer Protocol after the April 1, 2026 attack on Drift Protocol. Circle maintains it freezes funds only when required by sanctions, law enforcement orders, or court directives.

The exploit hit Drift, a Solana-based perpetuals exchange, on April 1. Security teams tracking the breach reported that a manipulated price oracle and a compromised administrator key let the attacker drain the main vault in roughly 12 minutes. Drift’s total value locked fell from about $550 million to under $300 million within an hour, and the DRIFT token slid more than 40%. More than 10 other Solana projects reported service disruptions as the incident unfolded.

After converting much of the haul to USDC, the attacker bridged approximately $232 million from Solana to Ethereum via CCTP in more than 100 transactions over six consecutive hours during U.S. business hours. ZachXBT argued Circle failed to act while those transfers were occurring and questioned how the company applies its freeze authority.

“Circle was asleep while many millions of USDC were swapped via CCTP from Solana to Ethereum for hours from the 9-figure Drift hack during US hours,” he wrote on X. He contrasted the response with an earlier action on March 23, when Circle froze USDC in 16 unrelated business hot wallets — including one tied to the DFINITY Foundation — under a sealed U.S. civil case. He labeled that freeze “potentially the single most incompetent” action he had seen in five years of on-chain investigations.

Circle, in a statement, pointed to its compliance obligations: “Circle is a regulated company that complies with sanctions, law enforcement orders, and court-mandated requirements. We freeze assets when legally required, consistent with the rule of law and with strong protections for user rights and privacy.”

Attorneys and market analysts described legal constraints around unilateral freezes. Salman Banei, general counsel at Plume, warned that acting without proper authorization could create liability for Circle. Ben Levit, CEO of stablecoin ratings firm Bluechip, called the situation “a gray area,” noting the breach stemmed from an oracle manipulation rather than a flaw in Circle’s systems. Security researcher Specter observed the attacker avoided converting funds into Tether’s USDT.

Blockchain analytics firm Elliptic reported indicators consistent with North Korea hacking activity, though attribution has not been publicly confirmed.

ZachXBT’s broader filing cites 15 incidents since 2022, totaling more than $420 million, where he alleges Circle’s compliance or freeze actions were inconsistent or insufficient. His latest complaint centers on the transfers through CCTP during the Drift incident and the absence of a freeze as the funds moved for several hours.

Security firms including PeckShield and Arkham outlined how assets were siphoned and consolidated into USDC before bridging. By the time on-chain activity slowed, Drift’s liquidity pools had been drained and some traders reported failed withdrawals at other Solana protocols.

USDC includes a smart contract function that allows the issuer to restrict movement of specific addresses when presented with sanctions designations, court orders, or law enforcement requests. Drift has not released a final post-mortem. Investigations continue into the oracle manipulation and the administrator key compromise, and no arrests or recoveries have been announced.