Circle, the company behind USDC, has built its brand on being the regulated, compliant alternative in the stablecoin market. But according to blockchain investigator ZachXBT, that reputation has a $420 million-plus hole in it.
In a detailed thread titled “The Circle Files,” ZachXBT documented over fifteen incidents since 2022 where Circle allegedly took “minimal action” against illicit USDC flows. The losses span some of crypto’s most notorious exploits, from the Nomad Bridge hack to the recent Drift Protocol attack, and paint a picture of a company that possesses the technical ability to freeze stolen funds but consistently fails to do so quickly enough to matter.
A catalog of missed opportunities
The numbers tell a damning story. The largest single incident involves the Drift Protocol exploit from April 2026, where roughly $286 million was drained from the platform. Of that, approximately $51.6 million was in USDC, with about $232 million ultimately bridged across chains during the attack. Circle did not freeze the funds in time.
For context, Tether managed to halt USDT cross-chain transfers within 90 minutes of the same Drift attack. Circle’s response was notably slower.
The other incidents ZachXBT cataloged read like a greatest hits album of DeFi exploits. The Mango Markets attack accounted for roughly $57.5 million in USDC that wasn’t frozen. The Nomad Bridge exploit in August 2022 saw $45 million in USDC flow through without being stopped. The Cetus exploit added another $61 million to the tally. Even smaller incidents, like the $3 million SwapNet hack, made the list.
In English: Circle had the tools to freeze these funds on-chain. It has done so in other cases. But across fifteen documented incidents spanning nearly four years, hundreds of millions of dollars allegedly slipped through because the company didn’t act fast enough.
The compliance paradox
Here’s the thing. Circle isn’t some scrappy startup operating out of a co-working space. It’s a US-regulated stablecoin issuer that has spent years positioning itself as the responsible actor in the room. USDC processed $2.2 trillion in transactions through March 2026, surpassing Tether’s volume for the first time since 2019. The token’s total supply has climbed to approximately $81 billion, with Circle minting over $8 billion since February alone.
That growth has been fueled in large part by institutional adoption. Banks, payment companies, and DeFi protocols have gravitated toward USDC precisely because of its regulatory posture. Circle holds state money transmitter licenses, maintains reserves in cash and short-dated US Treasuries, and has actively lobbied for stablecoin legislation like the GENIUS Act.
The disconnect between that compliance branding and ZachXBT’s findings is stark. A stablecoin issuer that markets itself on safety and regulatory adherence, yet allegedly allows hundreds of millions in stolen funds to move freely across its network, presents what might charitably be called a credibility problem.
“$420M+ in alleged compliance failures since 2022, including fifteen cases of the US-regulated stablecoin issuer taking minimal action against illicit funds.” – ZachXBT
Circle has not publicly responded to the specific allegations in the thread as of publication. The company has previously noted that freezing funds requires legal process and coordination with law enforcement, which can introduce delays.
That explanation works in theory. In practice, when your competitor is freezing the same stolen tokens 90 minutes after an exploit while you’re still warming up, the “we need proper legal process” argument starts to look less like principled caution and more like operational sluggishness.
What this means for investors and the broader market
Look, the immediate risk here isn’t that USDC is going to depeg or that Circle is somehow insolvent. The reserves backing USDC remain intact regardless of whether stolen tokens get frozen. But ZachXBT’s investigation raises a different kind of risk that institutional investors and DeFi protocols need to take seriously: counterparty risk rooted in compliance theater.
If you’re a protocol choosing USDC as your primary stablecoin because you believe Circle’s compliance infrastructure provides a safety net during exploits, these findings suggest that safety net has significant holes. Fifteen incidents over four years isn’t an occasional slip-up. It’s a pattern.
The competitive implications are also worth watching. Tether has long been the industry’s favorite punching bag when it comes to regulatory concerns. But on the specific question of freezing illicit funds quickly, USDT has demonstrably outperformed USDC in several high-profile incidents. That’s an awkward position for Circle, whose entire value proposition rests on being the more trustworthy option.
There’s also the legislative angle. The GENIUS Act, currently working its way through Congress, would establish a federal framework for stablecoin issuers. Proponents argue it would bring clarity and accountability to the market. But ZachXBT’s findings raise a pointed question: what good is a regulatory framework if the largest regulated issuer in the space can’t operationalize its compliance obligations in real time?
For DeFi protocols, the calculus may be shifting. Multi-stablecoin strategies, where protocols don’t rely on any single issuer, could become more attractive. Some projects may also look at whether on-chain freeze mechanisms need to be supplemented with protocol-level circuit breakers that don’t depend on stablecoin issuers acting quickly.
Institutional allocators should be paying attention too. The narrative that USDC equals regulatory safety has driven billions in capital toward Circle’s ecosystem. If that narrative erodes, even partially, it could reshape stablecoin market share dynamics in ways that benefit Tether, newer entrants, or even algorithmic alternatives that have been rebuilding credibility after the Terra collapse.
The timing matters as well. Circle has been widely reported to be preparing for a public offering, with an IPO potentially valuing the company at several billion dollars. A documented track record of compliance failures, even alleged ones, is exactly the kind of reputational risk that public market investors tend to scrutinize heavily. Securities lawyers reading ZachXBT’s thread are probably already drafting memos.
The bottom line
ZachXBT’s investigation doesn’t accuse Circle of malice. It accuses Circle of something potentially worse for a company that sells trust: indifference. Over $420 million in losses across fifteen incidents, spanning four years, with a company that has both the regulatory mandate and the technical capability to freeze funds faster. The gap between what Circle promises and what it apparently delivers isn’t just an operational shortcoming. For every protocol, institution, and user that chose USDC because it was supposed to be the safe option, it’s a betrayal of the core value proposition.
