Circle Watched $232M in Stolen USDC Bridge Out for 6 Hours — and Did Nothing
Circle Watched $232M in Stolen USDC Bridge Out for 6 Hours — and Did Nothing
Three days after the $285M Drift Protocol hack rocked Solana, the story has taken a sharper edge — and this time, the target isn’t the hacker.
On-chain investigator ZachXBT published a thread on April 3 titled “Welcome to the Circle USDC files” — a meticulously documented takedown of Circle’s track record on freezing stolen funds. The receipts are ugly.
What Happened After the Drift Hack
The Drift attacker moved fast. After draining ~$285M from the Solana-based perpetuals DEX on April 1, they bridged 232 million USDC from Solana to Ethereum using Circle’s own Cross-Chain Transfer Protocol (CCTP).
The entire process took six hours — during U.S. business hours — with every transaction visible on-chain in real time.
Circle did not freeze a single dollar.
This is notable because Circle has the technical ability — and by its own terms — the contractual authority to blacklist USDC addresses and freeze stolen funds. They’ve done it before. They just didn’t here.
The Bigger Pattern: $420M Across 15 Cases
ZachXBT didn’t stop at Drift. The thread catalogued 15 separate incidents since 2022 where Circle held the power to freeze stolen or fraudulently obtained USDC but allegedly failed to act in a timely or adequate manner — totaling approximately $420 million in losses.
The pattern, according to ZachXBT:
- Circle moves fast when served a court order
- Circle moves slow (or not at all) during active exploits, even when contacted by protocols in real time
- Circle sometimes freezes first and asks questions later — but only for certain wallet types
The Irony: Circle Froze the Wrong Wallets
In a separate controversy that landed the same week, Circle also came under fire for freezing 16 legitimate wallets as part of an unrelated civil case — including DFINITY’s ckETH Minter contract, an infrastructure component of the Internet Computer Protocol’s Ethereum bridge. Five wallets were later unfrozen after protests from the affected teams.
Critics were quick to note the contrast: legitimate DeFi infrastructure gets frozen on request from a litigant. A North Korean-linked attacker bridges $232M in broad daylight — nothing.
The North Korea Connection
TRM Labs and Elliptic have both attributed the Drift Protocol exploit to North Korea’s Lazarus Group with high confidence. This isn’t a random grey-area hacker; it’s a sanctioned nation-state actor moving stolen funds through a stablecoin issuer’s own infrastructure.
The CCTP bridge was designed for legitimate cross-chain transfers. It’s now being scrutinized as a possible gap in Circle’s compliance posture — one that nation-state hackers appear to be actively exploiting.
Circle’s Response
As of publication, Circle has not issued a detailed public response to ZachXBT’s thread. A spokesperson previously stated that Circle “works closely with law enforcement and cooperates with legal processes” — a response that critics say sidesteps the specific question of proactive freezing during active exploits.
Why This Matters for Crypto Jobs
This story has direct implications for hiring across several verticals:
Compliance & AML roles are about to get scarcer and more senior. Stablecoin issuers — Circle, Tether, Paxos — are under increased political and regulatory pressure to demonstrate proactive compliance. Expect job postings for Director/VP-level AML, Sanctions Compliance, and Blockchain Intelligence roles to spike in the next 90 days. These are high-paying roles ($180K–$300K+) that require both legal fluency and on-chain chops.
Security engineering demand is surging at DeFi protocols. The Drift hack exposed how social engineering of multisig signers — not smart contract bugs — is now the primary attack vector. Protocols are quietly fast-tracking hires for Security Architects, Multisig Governance Engineers, and Incident Response leads.
On-chain forensics is one of the hottest niches in crypto right now. ZachXBT built a career doing publicly what firms like TRM Labs and Elliptic do professionally. The demand for blockchain forensics analysts is accelerating — especially post-exploit. If you can read Etherscan like a novel and trace fund flows across bridges, you’re employable.
Protocol risk roles are emerging. The Drift exploit wasn’t just a security failure — it was a governance failure. A zero-timelock Security Council migration removed the last line of defense. Expect mature DeFi protocols to start hiring dedicated Protocol Risk Officers, a role borrowed from TradFi but adapted for decentralized governance.
The Bottom Line
The Drift hack was a $285M disaster. The Circle controversy that followed it might end up being more consequential for the industry long-term. If the largest stablecoin issuer can’t — or won’t — act as a last-resort backstop against sanctioned nation-state actors, the entire “stablecoins are safer” narrative takes a hit.
The regulatory pressure that follows will reshape compliance hiring across the space. Position accordingly.
Looking for security, compliance, or forensics roles in crypto? The job board at Cryptogrind tracks Web3-native positions across DeFi protocols, stablecoin issuers, and blockchain security firms. Browse open roles now.
