Onchain investigator ZachXBT says Circle, issuer of the USDC stablecoin, failed to freeze or blacklist roughly $420 million in illicit USDC flows across 15 public hack-and-fraud cases dating to 2022. Circle can freeze funds and blacklist addresses, but ZachXBT alleges it either took “minimal” action or did not act in many incidents, including cases tied to DPRK-affiliated hackers.
Examples cited include:
– An alleged failure to freeze about $9 million in USDC linked to the GMX DEX hack in July 2025.
– Wallets tied to the $200 million Cetus DEX exploit in May 2025 were reportedly blacklisted only after the attackers converted USDC into ETH.
– Circle allegedly failed to freeze $232 million in illicit flows from the Drift Protocol hack despite a six-hour window when attackers converted USDC to ETH in more than 100 transactions.
ZachXBT said Circle “builds good products” and that he holds USDC, stressing his post was not intended to undermine the company. He added that the firm’s inaction has had “real consequences for real people,” noting: “Nine figures were lost from the ecosystem because of repeated inaction across three years on law enforcement requests, private sector requests, and their own infrastructure. The $420 million-plus only accounts for major public cases. The real figure is likely significantly higher.”
Cointelegraph contacted Circle for comment but had not received a response by publication.
The allegations have sparked debate in crypto communities over the role and responsibilities of centralized service providers as blockchain protocols and users face frequent hacks and exploits. Circle has previously frozen USDC and blacklisted addresses — for example, freezing USDC held by Tornado Cash addresses sanctioned by the U.S. Office of Foreign Assets Control in 2022.
In September 2025, Circle president Heath Tarbert said the company was exploring “reversible” USDC transactions that could be rolled back or amended in cases of hacks, theft, or fraud.