ZachXBT questions Circle's slow response during the Drift attack.
Key Event : In the early morning of April 2, 2026, on-chain investigator ZachXBT posted a series of messages on the X platform, fiercely criticizing USDC issuer Circle for its "inaction" during the $280 million+ attack on the Solana perpetual DEX Drift protocol. The attack occurred during US trading hours, with hackers bridging over $230 million USDC from Solana to Ethereum via Circle's cross-chain protocol CCTP . Circle reportedly took six hours to freeze the funds, having previously mistakenly frozen 16 unrelated corporate hot wallets. This reflects inconsistency in Circle 's security response, raising widespread questions within the industry about the responsibility of centralized stablecoin issuers.
The Drift attack was one of the biggest DeFi events in the Solana ecosystem recently, causing TVL to plummet by 92.5% and exposing the pain points of cross-chain bridges and stablecoin freezing mechanisms. ZachXBT's accusations spread rapidly, with a single tweet receiving over 197,000 views and over 2,700 likes, amplifying industry discontent.
Details of Drift Protocol Attacks
Drift, one of the largest perpetual DEXs on Solana, confirmed to have suffered an "active attack" on April 1, 2026 (New York time afternoon), resulting in the outflow of over $285 million in assets, primarily USDC, but also including Jupiter Perps, Fartcoin, and wETH. The protocol immediately suspended deposits and withdrawals and is coordinating an investigation with security companies, cross-chain bridges, and exchanges. (TechFlow BloomingBit)
Key indicator changes (data as of April 2, 2026):
| index | Before the attack | After the attack | change |
|---|---|---|---|
| TVL | $311.38M | $23.49M | -92.5% DeFiLlama via BloomingBit |
| Loss estimation | - | $200-285M | Main USDC |
| DRIFT token price | - | $0.05+ | -11% (24h) CoinGecko via TechFlow |
PeckShield's initial assessment is that the attackers' keys were compromised or compromised, allowing them to quickly transfer funds. Solana ecosystem KOLs, such as Helius CEO Mert Mumtaz, warned users to monitor their positions. TechFlow
Potentially affected protocols (summarized by @DefiSolar, users need to check themselves):
| protocol | Exposure type | Remark |
|---|---|---|
| radeNeutral | Delta-neutral strategy | High risk |
| elementaldefi | USD Vault | Kamino Partial Safety |
| synatraxyz | potential | - |
| project0 | - | - |
| ranger_finance | treasury | - |
| reflectmoney | - | - |
This list serves as a reminder to Solana revenue strategy users to check their exposures immediately. (TechFlow)
ZachXBT's specific accusations against Circle
ZachXBT posted 10+ tweets starting at 00:14 UTC on April 2, 2026, directly criticizing Circle as a "bad actor":
- Slow Attack Response : After launching the attack at 12 PM ET (US noon), the hackers completed over 100 transactions via CCTP within 6 hours, bridging over 230 million USDC to Ethereum, with Circle showing "no intervention." "Why does the industry allow them to remain silent?" X
- Motives questionable : Circle prioritizes lobbying government regulations and uses the buzzword "compliance" without actually addressing the problems. It takes no action unless it impacts revenue. XX
- The contrast is unfair : a few days ago (March 26), Circle mistakenly froze 16+ enterprise hot wallets (related to exchanges and casinos), which have been gradually unfrozen since then, yet they turn a blind eye to the hackers' funds.
These tweets garnered over 250,000 views and over 3,000 likes, with @circle, @jerallaire (CEO), and @usdc being mentioned multiple times, indicating immense pressure. (BlockBeats Phemex)
Circle CCTP Mechanism and Controversial Points
CCTP (Circle Cross-Chain Transfer Protocol) achieves cross-chain transfers by destroying USDC on the source chain and minting an equivalent amount of USDC on the target chain. It is centrally controlled by Circle and has the ability to freeze funds. However, ZachXBT claims that CCTP "successfully processed" the stolen funds during this attack, with no security triggers. (Coinness ChainCatcher)
Why it's important : CCTP is crucial for DeFi cross-chain infrastructure, and the Drift incident exposed monitoring blind spots. Industry disagreements lie on: How much power should stablecoin issuers have to freeze funds? What are the standards for real-time response? There's no official confirmation that CCTP was actually used for theft, but ZachXBT's timeline is detailed, and it's been widely reported in news outlets. BitcoinWorld
Event timeline (UTC, 2026)
| time | event | detail |
|---|---|---|
| April 1st, afternoon (NY time) | Drift attack launched | $285M outflow, access to TechFlow suspended. |
| 04-02 00:14 | ZachXBT's first post | This indicates that Circle has been inactive, bridging for several hours . |
| 04-02 04:53 | Update Post | Confirmed $230M+ bridging, 6-hour window X |
| 04-02 05:00+ | continuous attacks | Questioning Circle priority X, etc. |
| Current time (07:31 UTC) | News dissemination | Multiple platforms reported that TVL remained low. |
Industry Impact and Risk Assessment
Positive : Orca DEX CEO confirms fund security, emphasizing 4 audits + continuous monitoring, and the Solana ecosystem's rapid response. BitcoinWorld
risk :
| Risk factors | Severity | detail |
|---|---|---|
| Cross-chain monitoring is lacking | high | CCTP and other bridges easily become money laundering channels. |
| Inconsistent freezing | high | Accidentally freezing company accounts vs. ignoring hackers |
| Ecological infection | middle | Delta-neutral protocol exposed, TVL outflow |
| Regulatory pressure | middle | Amplify the censorship of Circle |
Data limitations : There is no official response from Circle or conclusive on-chain evidence proving the exact details of CCTP usage; the exact cause of the attack awaits the final report from PeckShield/Drift. TVL data is as of the morning of April 2nd and may be subject to further changes.
Conclusions and Outlook
ZachXBT's criticism directly addresses Circle's pain points: as a centralized issuer in New York, its "sleep" state for 6 hours during the US session attack, allowing 230 million USDC to be bridged, reveals a double standard compared to the mistaken freezing incident. This not only results in the $285 million loss for Drift, but also tests the role of stablecoins in DeFi security—the right to freeze assets is a double-edged sword, with slow response times and eroded trust.
Action Perspective :
- Traders : Avoid Drift exposure positions and monitor Solana TVL backflows.
- Project team : Strengthen admin key management and promote cross-chain standardization.
- Observer : Pay attention to Circle's response. If they remain silent, USDC's market share may be pressured (stablecoins rotate after similar historical events).
The incident is still unfolding, and if Circle doesn't clarify, it could trigger even greater repercussions. Solana DeFi needs to use this opportunity to strengthen bridge security to prevent becoming "the next Drift."