ZachXBT Blasts Circle Over Drift Hack, Solana CCTP Leak

Blockchain investigator ZachXBT has reportedly renewed his criticism of Circle, the issuer of USDC, over what he describes as inaction following the Drift Protocol exploit on Solana, with secondary reports alleging that stolen funds moved off the chain through Circle’s Cross-Chain Transfer Protocol.

The Drift hack, which surfaced on April 1, is shaping up to be one of the largest DeFi exploits of 2026. Estimates of the damage range from more than $200 million to as high as $285 million, and the protocol immediately paused deposits and withdrawals while it investigated.

The incident triggered a sharp collapse in Drift Trade’s total value locked. DeFiLlama data shows TVL falling from $311.38 million to roughly $23.49 million between April 1 and April 2, a decline of approximately 92.5%.

Why ZachXBT Is Criticizing Circle Again

According to unconfirmed secondary reports, ZachXBT accused Circle of failing to freeze stolen funds quickly enough after the Drift exploit. The criticism follows a pattern; ZachXBT has previously called out Circle over response times in other hacking incidents.

No directly fetchable primary post from ZachXBT confirming the specific statements tied to this incident has been independently verified at the time of publication. The accusation was reported by aggregator outlets but has not been corroborated by a first-party source.

The core allegation is that Circle had the ability to blacklist or freeze USDC addresses linked to the stolen funds but did not act fast enough, allowing the attacker to move assets off Solana before any freeze could take effect.

How Stolen Funds Reportedly Moved From Solana Through CCTP

Circle’s Cross-Chain Transfer Protocol enables USDC to move natively between blockchains through a burn-and-mint mechanism. When a user initiates a transfer, USDC is burned on the source chain and an equivalent amount is minted on the destination chain, maintaining a 1:1 peg.

Drift had officially integrated Circle’s CCTP, allowing traders to move USDC from Arbitrum, Base, and Ethereum onto Drift on Solana as trading collateral. That same infrastructure, according to unconfirmed reports, may have provided the attacker a route to bridge stolen USDC off Solana after the exploit.

No directly fetched explorer data or transaction-level evidence has confirmed that the stolen funds specifically exited through CCTP. The claim remains attributed to secondary reporting, and readers should treat it as an unverified allegation until on-chain proof surfaces.

What CCTP Means in This Context

CCTP differs from traditional bridges because Circle, as the sole USDC issuer, controls the mint-and-burn process. This centralized control is precisely why critics like ZachXBT argue Circle bears responsibility: if Circle can freeze USDC on any chain, it theoretically could have intercepted the funds mid-transfer.

The counterargument is that freezing assets in real time across multiple chains requires rapid identification, legal coordination, and technical execution. Whether Circle’s response window was reasonable remains a point of dispute.

Why Circle’s Response Is Under Scrutiny in the Drift Case

Circle occupies a unique position in the stablecoin ecosystem. As the issuer of USDC, it has the technical capability to blacklist specific addresses, effectively freezing funds in place. This power has been used in past incidents, which is why the alleged delay draws scrutiny.

The criticism centers on response time, not capability. ZachXBT’s reported complaint is not that Circle lacks the tools to act but that it did not deploy them quickly enough after the Drift exploit became public.

Security firm PeckShield weighed in on the exploit itself. Jiang Xuxian of PeckShield stated that the admin keys behind Drift were “definitely leaked or compromised,” pointing to a root cause that may have given the attacker access before any external party could respond.

This raises a difficult question for the industry: if an exploit stems from compromised admin keys, how quickly can any third party, including a stablecoin issuer, reasonably be expected to intervene?

The Drift Protocol attack has already cut the platform’s TVL in half according to earlier coverage, and updated figures now show an even steeper drop. The speed of the TVL collapse suggests that users rushed to withdraw remaining funds once the exploit became known.

What the Incident Means for Solana, Drift, and Stablecoin Risk Monitoring

The broader Solana ecosystem felt the impact. SOL fell to $79.08, a decline of 4.45% over 24 hours, with trading volume reaching $5.17 billion during the sell-off. The token’s market cap sat at $45.34 billion as the fallout continued.

Solana’s overall chain TVL remained at $12.06 billion, suggesting the damage was concentrated around Drift rather than spreading into a broader contagion event. Still, the incident adds to a growing list of security concerns for high-profile Solana protocols.

The Galaxy Digital testnet hack earlier this year, though far smaller in scale, highlighted similar questions about how quickly centralized actors can respond to exploits across decentralized infrastructure.

TechCrunch described the Drift hack as on track to be 2026’s largest crypto theft so far. That distinction, if confirmed at the upper end of estimates, would place it among the most significant DeFi exploits in recent memory.

The dispute between ZachXBT and Circle also surfaces a structural tension in stablecoin design. USDC’s centralized issuance model gives Circle freeze capabilities that fully decentralized assets lack. Critics argue this power creates an obligation to act swiftly; Circle may counter that rapid freezes without due process carry their own risks.

For Drift users, the immediate concern is the status of paused withdrawals and whether any portion of the stolen funds can be recovered. The protocol has not yet issued a detailed post-mortem, and the investigation remains ongoing.

The case also raises questions about cross-chain monitoring infrastructure. If stolen funds can move between chains through a protocol controlled by a single issuer, the industry may need clearer standards for response timelines, automated detection triggers, and coordination between protocol teams and stablecoin issuers.

With the Fed hold in April remaining the market base case, macro conditions are unlikely to provide a sentiment tailwind for Solana-linked assets recovering from the exploit’s reputational damage.

FAQ

Who is ZachXBT?

ZachXBT is a pseudonymous blockchain investigator known for tracing stolen funds and publicly calling out entities he believes failed to act on exploit-related transactions. He has built a reputation for detailed on-chain forensics shared primarily through social media.

What is Circle CCTP?

Circle’s Cross-Chain Transfer Protocol is a system that allows USDC to move natively between supported blockchains. It works by burning USDC on the source chain and minting an equivalent amount on the destination chain, with Circle acting as the sole authority over the process.

What happened in the Drift hack?

On April 1, 2026, Drift Protocol on Solana suffered an exploit estimated between $200 million and $285 million. Security analysts pointed to compromised admin keys as the likely cause. Drift paused all deposits and withdrawals immediately, and its TVL collapsed by over 92% within a day.

Why are stolen funds on Solana part of the controversy?

The controversy stems from allegations that the attacker used Circle’s CCTP to bridge stolen USDC off Solana to other chains. Because Circle controls the CCTP burn-and-mint process and has the ability to freeze USDC addresses, critics argue Circle should have intervened before the funds could be moved. This claim remains unverified by on-chain evidence at the time of writing.

Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Cryptocurrency and digital asset markets carry significant risk. Always do your own research before making decisions.