After the $285 million Drift hack, the main focus is shifting to Circle (CRCL) and whether or not it may have accomplished extra to cease the cash.
The attacker siphoned off roughly $71 million in USDC as a part of the exploit Wednesday, in accordance with blockchain safety agency PeckShield. After changing a lot of the remainder of the stolen belongings to USDC, the hacker used Circle’s cross-chain switch protocol, CCTP, to bridge about $232 million in USDC from Solana to Ethereum, making restoration efforts tougher.
That motion has drawn criticism from elements of the crypto group, together with outstanding blockchain investigator ZachXBT, who argued Circle may have acted quicker to restrict the harm.
“Why ought to crypto companies proceed to construct on Circle when a undertaking with 9 fig[ure] TVL [total value locked] couldn’t get help throughout a serious incident?,” he stated in an X put up following the assault.
To freeze or to not freeze
The corporate had instruments at its disposal, ZachXBT identified. Beneath its personal phrases, Circle reserves the fitting to blacklist addresses and freeze USDC tied to any suspicious exercise.
Preemptively freezing wallets linked to the exploit may have slowed or stopped the attacker’s means to maneuver funds, one stablecoin infrastructure agency founder informed CoinDesk.
Nonetheless, appearing and not using a courtroom order or legislation enforcement request would possibly expose Circle to authorized threat, the individual added.
Salman Banei, common counsel of tokenized asset community Plume, stated freezing belongings with out formal authorization may expose issuers to legal responsibility if accomplished incorrectly. He argued regulators ought to tackle that authorized hole.
“Lawmakers ought to present a secure harbor from civil legal responsibility if digital asset issuers freeze belongings when, of their affordable judgment, there’s robust foundation to imagine that illicit transfers have occurred,” Banei stated.
That constraint was central to the corporate’s response.
“Circle is a regulated firm that complies with sanctions, legislation enforcement orders, and court-mandated necessities,” a spokesperson stated in an electronic mail to CoinDesk. “We freeze belongings when legally required, in step with the rule of legislation and with robust protections for consumer rights and privateness.”
‘Grey zone’
The episode highlights a deeper stress that’s drawing rising scrutiny as stablecoins develop.
Tokens like USDC have gotten a core a part of world cash flows, particularly for cross-border funds and buying and selling. On the similar time, they’re additionally utilized in illicit exercise, placing issuers beneath strain to behave rapidly when issues go incorrect.
In keeping with TRM Labs, roughly $141 billion in stablecoin transactions in 2025 had been linked to illicit exercise, together with sanctions evasion and cash laundering.
Blockchain safety corporations pointed to North Korean hackers as probably being behind the Drift exploit.
Stablecoins issued by centralized, regulated entities like Circle’s USDC are designed to be programmable and controllable, a characteristic that may assist cease illicit flows however may additionally increase considerations about overreach and due course of.
Within the Drift exploit’s case, the state of affairs is not that clear-cut, stated Ben Levit, founder and CEO of stablecoin rankings company Bluechip.
“I feel individuals are framing this too simplistically as ‘Circle ought to’ve frozen,'” he stated. “This wasn’t a clear hack, it was extra of a market/oracle exploit, which places it in a grey zone.”
“So any motion by Circle turns into a judgment name, not only a compliance resolution,” he added.
To him, the larger concern is consistency. “USDC cannot be positioned as impartial infrastructure whereas additionally permitting discretionary intervention with out clear guidelines,” Levit stated. “Markets can deal with strict insurance policies or no intervention, however ambiguity is far tougher to cost.”
That leaves issuers in a tough place. Transferring too slowly dangers criticism that they’re enabling dangerous actors, whereas appearing too rapidly with out authorized backing raises considerations about overreach.
And in fast-moving exploits, that trade-off turns into particularly stark, with the window to behave usually measured in minutes slightly than weeks or months of authorized processes.