On-chain investigator ZachXBT noted Circle had delayed the freezing of USDC addresses linked to the Bybit exchange hack. The funds can still move, despite Circle’s ability to freeze addresses and recoup losses.
On-chain investigator ZachXBT pointed out Circle is not cooperating fast enough with the recovery of funds from the Bybit hack. Some of the funds are held in USDC, which can be frozen by the issuer. The current addresses with funds from the hack are still free to transact, making it possible for the hackers to launder the funds.
One of the concerns of ZachXBT is to return as much of the stolen funds as possible. Bybit already managed to refill its ETH losses but still seeks its lost funds on principle. The investigator responded to Jeremy Allaire, co-founder of Circle, aiming to bring attention to the project’s responsibility for controlling losses.
The involvement of USDC in the Bybit hack arrives at a time when Circle aims to evolve its stablecoin into a fully legalized payment tool. USDC is the favored stablecoin in Europe and was recently recognized by the Dubai Financial Service Authority. The USDC stablecoin grew by 3.1B tokens in the past three months, mostly due to issuing on Solana.
ZachXBT traces active USDC addresses linked to hacker activity
The USDC addresses identified by ZachXBT hold just 115K tokens, a small sum compared to the scale of the $1.5B hack. Time is still of the essence in recovering funds, and even a sum of $115K may be relevant in other types of hacks.
The potential to freeze funds from USDC was at first seen as a risk, but the stablecoin has the ability to stop bad actors and restore tokens to their owners. So far, USDC has banned an estimated 268 addresses, with no standard on targeting bad actors and reacting based on blockchain data.
ZachXBT tracked the addresses based on the original transfers of ETH. USDC was chosen as a secondary asset and could be frozen and re-issued. Despite the threat of freezing, bad actors still use the two leading stablecoins, aiming to act fast before the funds are intercepted.
Now 0xda2e has 338K USDC after receiving another 222.9K USDC after my post so here’s the tracing explained step by step probably showing its funds from the Bybit hack:
1). 0xda12 received 204.91 ETH from 0xe41B 31 hours ago in the following transaction…
— ZachXBT (@zachxbt) February 28, 2025
In the past six years since the launch of USDC, crypto users remained skeptical of the freeze function inherent to the USDC token. In theory, Circle could choose to freeze any address for any reason. This time, however, the token issuer has not taken note of the small-scale funds leak. Circle is working at scale, often issuing $250M mints daily, and has paid little attention to smaller holdings. Circle has still assisted the Bybit investigation and has provided clues on tracking down the funds.
ZachXBT noted that Tether had already reacted, freezing 106K USDT. Previously, Tether aimed to be censorship-free, but increased usage for scams led to the decision to target known addresses linked to bad actors. Tether’s CEO Paolo Ardoino announced the first asset freezes as early as February 22, just after the hack. The address freezes following the advice of ZachXBT.
Crypto protocols assisted the hack recovery. One of the biggest sums to be blocked was for $43M in mETH by Mantle Protocol. The token had an eight-hour delay in transfers as a precaution, acting quickly to prevent the hacker from exploiting its own cmETH smart contracts.
Unfortunately, other funds like mETH and ETH could not be frozen and are free to be mixed, swapped, or hidden in other ways. The hackers also moved funds through DAI, a stablecoin issued by Maker/Sky Protocol. DAI remains decentralized and has no freezing mechanism besides blacklisting addresses. The DAI stablecoin is also one of the assets most often mixed through Tornado Cash.
Several other projects continued with fund freezes where it was technologically possible. ThorChain blocked all blacklisted addresses to prevent them from mixing and hiding funds. ChangeNOW DEX intercepted 34 ETH. The FixedFloat exchange froze 120K in stablecoins USDT and USDC, with no assistance from Circle. Coinex and Bitget also froze blacklist addresses.
Cryptopolitan Academy: Coming Soon - A New Way to Earn Passive Income with DeFi in 2025. Learn More
