Key Highlights
- ZachXBT accused Circle of inaction as over $230 million in stolen USDC was bridged from Solana to Ethereum via Circle’s CCTP during the $285 million Drift Protocol exploit.
- The criticism follows Circle’s controversial March 23 freeze of USDC balances in 16 unrelated business hot wallets.
On-chain investigator ZachXBT has accused Circle, the New York-headquartered issuer of USDC, of failing to act while over $230 million in stolen funds moved freely through its own cross-chain bridge during the $285 million Drift Protocol exploit on April 1—the largest DeFi hack of 2026 so far.
According to ZachXBT, the stolen USDC was bridged from Solana to Ethereum via Circle’s Cross-Chain Transfer Protocol (CCTP) across more than 100 transactions. The bridging activity continued for approximately six hours — during U.S. business hours — with zero intervention.
“Circle was asleep while many millions of USDC was swapped via CCTP from Solana to Ethereum for hours from the 9 figure Drift hack during US hours,” ZachXBT stated. ” 6 hours is how long Circle had to freeze stolen funds from the $280M+ Drift hack. Circle is a centralized stablecoin issuer headquartered in New York, and the attack began around 12 pm ET. Why does our industry allow them to stay silent?”
He went further, calling Circle, its CEO Jeremy Allaire, and USDC “bad actors for the industry,” adding: “Circle chooses to not engage with the private sector and instead sucks off govt. regulators via lobbying by using buzzwords like ‘compliance’ or ‘regulated’ without actually implementing solutions.”
On-chain researcher Wazz corroborated the timeline, sharing Etherscan data showing the attacker was still receiving bridged USDC on Ethereum as late as three hours after the hack was publicly flagged. Wazz noted that approximately $33 million of the stolen funds were converted to ETH on the Ethereum side, commenting, “Circle asleep at the wheel again.”
Security researcher Specter added that the attacker deliberately avoided converting to Tether (USDT) during the bridging process—suggesting confidence that Circle would not freeze the funds.
The March 23 freeze: A stark double standard
The timing made Circle’s inaction during the Drift hack even more conspicuous. Just nine days earlier, on March 23, Circle froze USDC balances across 16 unrelated business hot wallets as part of a sealed New York civil case. The freeze disrupted operations for exchanges, casinos, and payment processors.
ZachXBT had flagged that action at the time, calling it potentially the most incompetent freeze he had seen in over five years. He argued that on-chain analysis made it “obvious” the wallets were operational business addresses, not illicit accounts. “The NY civil case is sealed and they have provided absolutely ZERO basis to freeze all of these business addresses,” ZachXBT wrote on March 25, identifying Aaron Nathan from Willkie Farr as the plaintiffs’ lawyer.
Circle later unfroze one wallet linked to Goated.com on March 26, but most remained locked at the time of the Drift exploit.
The contrast is difficult to ignore. Circle acted aggressively on a sealed civil matter affecting legitimate businesses. Yet during a confirmed nine-figure exploit—with stolen funds transiting its own infrastructure for six hours during regular business hours—it took no action.
Inside the $285M Drift Protocol exploit
The Solana-based perpetual futures exchange suffered a massive vault drain starting around 11:06 a.m. ET on April 1. Blockchain security firm PeckShield and analytics platform Arkham Intelligence flagged roughly $285 million in outflows from Drift’s core vaults to attacker-controlled wallets.
The first major transfer involved approximately 41 million JLP tokens, valued at $155 million, moving from the Drift Vault to an attacker address. Additional assets, including USDC, cbBTC, USDS, and USDT, were drained in rapid succession. The attacker then swapped the stolen assets heavily into USDC before bridging them from Solana to Ethereum via Circle’s CCTP.
Drift Protocol confirmed the attack on X, stating it had suspended deposits and withdrawals and was coordinating with security firms, bridges, and exchanges, adding, “This is not an April Fools joke.”
On-chain researchers and security experts suggest the exploit may have resulted from a leaked private key, which allowed the attacker to compromise admin functionality and impact the vaults — meaning human error, not a smart contract bug, may have enabled the breach.
Drift TVL gutted, DRIFT token crashes 28%
The financial impact was immediate. Drift’s total value locked collapsed from approximately $550 million to $247 million, according to DeFiLlama data—a wipeout of over 55% of the platform’s liquidity. Drift’s native token, DRIFT, dropped nearly 37% on the day, trading around $0.043—down more than 98% from its November 2024 all-time high of $2.65.
On the Ethereum side, stolen assets were swapped into roughly 129,000 ETH. Publicly traded Solana treasury firms Forward Industries and DeFi Development Corp indicated their treasuries were not impacted, while wallet provider Phantom implemented user warnings against accessing Drift.
2026’s largest DeFi hack — and a growing pattern
The Drift Protocol hack is the second-largest security event in Solana’s history, trailing only the $326 million Wormhole bridge exploit in 2022. It is by far the largest DeFi exploit of 2026.
The incident adds to a brutal year for DeFi security. Earlier in 2026, the Resolv USR stablecoin suffered an $80 million exploit when an attacker minted unbacked tokens, and Venus Protocol lost $3.7 million to an oracle manipulation attack. Just a day ago, the LML staking protocol was drained for $950K on BSC using a similar price manipulation vector. PeckShield data shows crypto hacks drained $112.5 million in just the first two months of 2026—a figure the Drift exploit alone now dwarfs several times over.
ZachXBT also tied Circle’s broader behavior to its proposed optional privacy features on its upcoming Arc blockchain, suggesting those features could further reduce compliance accountability by limiting who can view transactions.
Circle has not publicly responded to the criticism. The incident has reignited debate over whether centralized stablecoin issuers can justify their freeze authority if they apply it selectively—aggressively against legitimate businesses on sealed court orders and passively while hundreds of millions in confirmed stolen funds transit their own infrastructure in broad daylight.