ZachXBT: Circle has repeatedly failed in compliance actions, with amounts involved exceeding $420 million.

ChainCatcher update: on-chain investigator ZachXBT has released an investigation report targeting Circle, claiming that since 2022 the company has had issues with “ineffective compliance enforcement” in multiple incidents involving illegal funds, with a cumulative amount exceeding $420 million.

The report notes that, as the issuer of USDC, Circle has long been known for its regulated, well-developed compliance framework, and its token contract also includes functionality to freeze and blacklist addresses, with its terms of service explicitly reserving the right to restrict suspicious accounts. However, in multiple major security incidents, these mechanisms were not used in a timely and effective manner.

The report highlights in particular the Drift Protocol attack incident dated April 1, 2026, in which approximately $280 million in assets were stolen. The attacker used Circle’s own cross-chain bridge, CCTP, to move more than $232 million worth of USDC from Solana to Ethereum within six hours, but no assets were frozen during that time. Similar situations also appeared in attack incidents involving SwapNet, Cetus Protocol, and Mango Markets, among others. In some cases, even after law enforcement agencies and industry experts had already issued freezing requests, Circle still did not take action in a timely way, and in some instances only handled matters after the assets had already been transferred.

In addition, the report points out that in investigations into money laundering involving the hacker organization Lazarus Group, Circle was notably slower to respond than other stablecoin issuers (such as Tether, Paxos, etc.). In some cases, the freeze operation was delayed by as long as several months. Similar delays also occurred in the Ledger supply-chain attack and the GMX attack incidents, where USDC remained at suspicious addresses for several hours or even longer, yet was still not frozen.

In the report, ZachXBT said that this disclosure is not meant to negate the product or the value of stablecoins themselves, but emphasized that its compliance enforcement decisions have caused “real and significant losses” to the industry.

He added that over the past three years, due to repeated failures to act in a timely manner, cumulative losses across the DeFi ecosystem have reached the nine-figure dollar range, while the $420 million figure is only a conservative estimate based on publicly known cases, and the actual scale may be higher.