Circle's $420M Oopsie: ZachXBT Shows USDC's Freezing Mechanism Has More Holes Than a DAO Governance Call

On-chain detective ZachXBT has dropped what he's calling the "Circle USDC files" — essentially a receipts screenshot of approximately $420 million in dirty stablecoins that allegedly slipped through the freeze mechanism like water through a regulatory sieve. The breakdown covers 15 separate cases since 2022 where Circle apparently forgot how to press the big red "freeze" button, or at least delayed pressing it until the funds had done a world tour.

The investigation highlights a pattern of delayed or absent action from Circle, even when given hours or days to act. In the most recent incident, the $285 million Drift Protocol exploit saw a six-hour window slip away as the attacker converted USDC to ETH across over 100 transactions. Circle allegedly didn't budge. Six hours. That's roughly 54 blocks, or about the same time it takes to get rejected from three consecutive smart contract audits.

The GMX DEX hack in July 2025 saw $9 million in USDC sit untouched in hacker wallets. The attacker probably checked their phone after a few hours, saw no freeze, and thought "ah, they must be having a coffee break." The Cetus DEX hack in May 2025? Circle blacklisted those wallets only after the USDC had already been converted to Ether — slightly less useful than locking the barn after the horses have formed a DAO and voted to leave town.

North Korean state-affiliated hackers — yes, the Lazarus Group types — also got preferential treatment, apparently. While Tether moved within hours to freeze addresses linked to the $1.5 billion Bybit heist in February 2025, Circle reportedly waited an additional 24 hours before taking action. One almost wonders if Circle's compliance team was waiting for a formal invitation written in triplicate, notarized, and delivered by carrier pigeon.

One particularly baffling detail: Circle's inaction is financially counterintuitive. As user Luke Cannon pointed out, freezing these addresses would have kept funds in Circle's reserves while legal proceedings played out. Instead, hackers dumped the USDC, and market makers redeemed it. It's a bit like leaving your wallet on a park bench and being surprised when someone "redeems" it — except the wallet contains nine figures and the bench is your compliance department.

"Nine figures were lost from the ecosystem because of repeated inaction across three years," ZachXBT noted. And the $420 million figure? He believes it only covers major public cases — the real number is likely significantly higher. Somewhere, a mid-level compliance analyst is quietly updating their LinkedIn.

Circle's president, Heath Tarbert, announced in September 2025 that the company was exploring "re