After the $285 million Drift hack, the main focus is shifting to Circle (CRCL) and whether or not it might have accomplished extra to cease the cash.
The attacker siphoned off roughly $71 million in USDC as a part of the exploit Wednesday, according to blockchain safety agency PeckShield. After changing many of the remainder of the stolen property to USDC, the hacker used Circle’s cross-chain switch protocol, CCTP, to bridge about $232 million in USDC from Solana to Ethereum, making restoration efforts harder.
That motion has drawn criticism from elements of the crypto neighborhood, together with outstanding blockchain investigator ZachXBT, who argued Circle might have acted quicker to restrict the harm.
“Why should crypto businesses continue to build on Circle when a project with 9 fig[ure] TVL [total value locked] could not get support during a major incident?,” he stated in an X put up following the assault.
To freeze or to not freeze
The firm had instruments at its disposal, ZachXBT pointed out. Under its personal terms, Circle reserves the correct to blacklist addresses and freeze USDC tied to any suspicious exercise.
Preemptively freezing wallets linked to the exploit might have slowed or stopped the attacker’s capability to maneuver funds, one stablecoin infrastructure agency founder advised CoinDesk.
However, appearing with no court docket order or regulation enforcement request may expose Circle to authorized danger, the particular person added.
Salman Banei, normal counsel of tokenized asset community Plume, said freezing property with out formal authorization might expose issuers to legal responsibility if accomplished incorrectly. He argued regulators ought to handle that authorized hole.
“Lawmakers should provide a safe harbor from civil liability if digital asset issuers freeze assets when, in their reasonable judgment, there is strong basis to believe that illicit transfers have occurred,” Banei stated.
That constraint was central to the corporate’s response.
“Circle is a regulated company that complies with sanctions, law enforcement orders, and court-mandated requirements,” a spokesperson stated in an electronic mail to CoinDesk. “We freeze assets when legally required, consistent with the rule of law and with strong protections for user rights and privacy.”
‘Gray zone’
The episode highlights a deeper pressure that’s drawing rising scrutiny as stablecoins develop.
Tokens like USDC have gotten a core a part of international cash flows, particularly for cross-border funds and buying and selling. At the identical time, they’re additionally utilized in illicit exercise, placing issuers beneath stress to behave rapidly when issues go mistaken.
According to TRM Labs, roughly $141 billion in stablecoin transactions in 2025 have been linked to illicit exercise, together with sanctions evasion and cash laundering.
Blockchain security corporations pointed to North Korean hackers as possible being behind the Drift exploit.
Stablecoins issued by centralized, regulated entities like Circle’s USDC are designed to be programmable and controllable, a function that may assist cease illicit flows however might additionally elevate considerations about overreach and due course of.
In the Drift exploit’s case, the scenario is not that clear-cut, stated Ben Levit, founder and CEO of stablecoin scores company Bluechip.
“I think people are framing this too simplistically as ‘Circle should’ve frozen,'” he stated. “This wasn’t a clean hack, it was more of a market/oracle exploit, which puts it in a gray zone.”
“So any action by Circle becomes a judgment call, not just a compliance decision,” he added.
To him, the larger situation is consistency. “USDC can’t be positioned as neutral infrastructure while also allowing discretionary intervention without clear rules,” Levit stated. “Markets can handle strict policies or no intervention, but ambiguity is much harder to price.”
That leaves issuers in a troublesome place. Moving too slowly dangers criticism that they’re enabling dangerous actors, whereas appearing too rapidly with out authorized backing raises considerations about overreach.
And in fast-moving exploits, that trade-off turns into particularly stark, with the window to behave typically measured in minutes reasonably than weeks or months of authorized processes.
