ZachXBT Sounds Alarm: Circle’s CCTP Turns Into DeFi Highway for $285M Drift Bandit While Team Clocks Out for Coffee

Onchain detective ZachXBT is roasting Circle like a degen flipping a 10x leveraged short after the stablecoin giant let $285 million in stolen USDC joyride across its Cross-Chain Transfer Protocol post-Drift Protocol exploit on April 1. Turns out, when your mint-and-burn bridge becomes a getaway car service, people notice—especially when the heist goes down during U.S. business hours and nobody hits the brakes.

The Solana-powered perpetual futures playground Drift got absolutely rekt, hemorrhaging around $285 million from its main vault in what’s now crowned the largest DeFi exploit of 2026. PeckShield and Arkham Intelligence watched like horrified bystanders as the cash flowed into attacker wallets, then smoothly bridged from Solana to Ethereum via Circle’s CCTP—because nothing says “secure DeFi” like letting hackers take the VIP lane through your permissioned bridge.

ZachXBT didn’t just raise concerns—he torched the podium.
"Circle was asleep at the wheel while nine figures in USDC casually swapped via CCTP from Solana to Ethereum for hours during the Drift heist," he fired off, probably while sipping black coffee and side-eyeing Circle’s compliance team’s Slack status. "Either they’re incompetent or running a bridge with the security of a MySpace login."

Security sleuth Specter matched the energy, pointing out the attacker wasn’t exactly moving like a panicked rug puller. Instead, they chilled with USDC in various wallets for 1 to 3 hours—posting up like they owned the place—before swapping, all while conspicuously dodging USDT.
“They clearly knew Circle wouldn’t freeze the funds,” Specter said, equal parts impressed and furious. “I was so pissed today watching the attacker use USDC with zero fear. It wasn’t a bridge—it was an open invitation.”

The irony got thicker than a layer-0 whitepaper. Just days before the Drift bloodbath, on March 23, Circle yanked the plug on USDC in 16 unrelated business hot wallets—frozen mid-flow thanks to a sealed U.S. civil case. Boom: payment processors, casinos, and exchanges all got pause-gamed. ZachXBT had already labeled that freeze as the most boneheaded move he’d seen since the Terra meltdown. Why? Because those wallets were doing legit on-chain stuff—not funding hacker ski vacations.

Circle did eventually thaw one wallet tied to Goated.com on March 26, playing redemption arc on hard mode. But most stayed locked, like NFTs in a dead project’s treasury.

So here’s the plot twist: Circle flexes freeze-ray power on small-time actors in a civil case, but when a nine-figure exploit uses their own bridge as a getaway route? Crickets. No alerts, no circuit breakers, not even a polite “hey, maybe don’t?” The double standard is so wide you could bridge a whole fleet of stolen stablecoins through it.

On Ethereum, the stolen loot got flipped into roughly 129,000 ETH—because nothing cleans money like a quick swap and a Lambo-shaped exit. Drift’s TVL cratered from $550 million to $247 million, and the DRIFT token dumped nearly 28%, proving once again that “trustless” works great until your bridge has a central kill switch that only works when it’s convenient.

ZachXBT also lobbed a grenade at Circle’s upcoming Arc blockchain, which promises optional privacy features. Cute, he said—unless that means even less accountability when things