ZachXBT accused Circle of 15 instances of inaction following hacking incidents., 2026/04/04 12:36:27

The anonymous blockchain investigator ZachXBT has accused the stablecoin issuer Circle of sluggishness and inaction regarding the freezing of funds stolen by hackers from various platforms. ZachXBT identified 15 such instances since 2022, resulting in a total loss of approximately $420 million.

According to the researcher, in several cases, the company failed to respond to requests from law enforcement and industry representatives or acted with significant delays, despite the availability of data on the blockchain. ZachXBT highlighted the following hacking incidents:

• Drift Protocol — approximately $230 million was transferred from the Solana network to Ethereum via Circle’s Cross-Chain Transfer Protocol (CCTP). During six hours of the bridge’s operation, which processed over 100 transactions, the funds were not frozen. According to Elliptic, a hacker from North Korea may have been behind the attack.

• SwapNet — in January, the protocol lost $13 million. Requests from law enforcement and private experts for Circle to freeze the funds yielded no results.

• GMX — in July 2025, the cryptocurrency exchange lost $42 million due to a hacking incident. Circle was expected to freeze about $9 million in USDC but failed to do so. Later, the perpetrator returned the stolen funds minus a $5 million reward.

• DPRK IT Workers — over $125,000 was withdrawn to addresses associated with an IT worker from October 2022 to January 2025. Circle did not blacklist these addresses, despite their connection to North Korea. In contrast, Tether blocked the relevant addresses.

• U.S. Department of Justice Asset Forfeiture Office — more than $1.7 million in USDC linked to a fake cryptocurrency investment scheme (“pig butchering”) in Southeast Asia, which caused total losses of around $225 million, was transferred to a deposit address at Circle and was not frozen.

• Cetus Protocol — the hacker’s address was blacklisted only a month later, after the USDC had already been converted to ethers.

• Garantex — no actions were taken against the cryptocurrency exchange, which has been under sanctions from the U.S. Treasury’s Office of Foreign Assets Control (OFAC) since 2022. Meanwhile, Tether froze assets at the same addresses totaling $22 million.

• Bybit — following an attack linked to the Lazarus group, Circle took 24 hours longer than Tether to freeze 338,000 USDC, despite requests from law enforcement and the exchange itself.

• Radiant Capital — the stolen 1.25 million USDC remained unfrozen on the hacker’s addresses for several days. According to Mandiant, a hacker from North Korea may have been responsible for the attack. The total loss for the project is estimated at $58 million.

• Circle took 4.5 months longer than Tether, Paxos, and Techteryx to blacklist the addresses of North Korean hackers from the Lazarus group after law enforcement requests.

• Ledger Supply Chain — over 60,000 USDC were on the hacker’s address for more than three hours without being blocked by Circle, while Tether promptly froze USDT at the same address.

• Remitano — 441,000 USDC were on the hacker’s address without being blocked by Circle. At the same time, Tether froze funds at that address.

• DeFi-Builder — 513,000 USDC remained on the hacker’s address for a month, despite the project’s requests for blocking. Unlike Circle, Tether blocked the stolen USDT at that address.

• Mango Markets — the hacker transferred 57.5 million USDC to a deposit address at Circle and converted them to Ethereum. The funds were not frozen. Later, the U.S. Securities and Exchange Commission (SEC) charged him.

• Nomad Bridge — around $45 million in USDC were on three hacker addresses for 30–45 minutes before the funds were exchanged. Circle did not blacklist these addresses.

In February, ZachXBT accused employees of the trading platform Axiom of insider trading. Previously, the blockchain detective criticized the new feature of the Phantom wallet, labeling it as yet another method of stealing funds from users.