After the $285 million Drift hack, the main focus is shifting to Circle (CRCL) and whether or not it might have completed extra to cease the cash.
The attacker siphoned off roughly $71 million in USDC as a part of the exploit Wednesday, based on blockchain safety agency PeckShield. After changing a lot of the remainder of the stolen property to USDC, the hacker used Circle’s cross-chain switch protocol, CCTP, to bridge about $232 million in USDC from Solana to Ethereum, making restoration efforts tougher.
That motion has drawn criticism from elements of the crypto neighborhood, together with outstanding blockchain investigator ZachXBT, who argued Circle might have acted sooner to restrict the harm.
“Why ought to crypto companies proceed to construct on Circle when a undertaking with 9 fig[ure] TVL [total value locked] couldn’t get help throughout a significant incident?,” he mentioned in an X put up following the assault.
To freeze or to not freeze
The corporate had instruments at its disposal, ZachXBT identified. Below its personal phrases, Circle reserves the best to blacklist addresses and freeze USDC tied to any suspicious exercise.
Preemptively freezing wallets linked to the exploit might have slowed or stopped the attacker’s means to maneuver funds, one stablecoin infrastructure agency founder instructed CoinDesk.
Nevertheless, performing with no court docket order or legislation enforcement request may expose Circle to authorized danger, the particular person added.
Salman Banei, basic counsel of tokenized asset community Plume, mentioned freezing property with out formal authorization might expose issuers to legal responsibility if completed incorrectly. He argued regulators ought to deal with that authorized hole.
“Lawmakers ought to present a protected harbor from civil legal responsibility if digital asset issuers freeze property when, of their cheap judgment, there’s sturdy foundation to imagine that illicit transfers have occurred,” Banei mentioned.
That constraint was central to the corporate’s response.
“Circle is a regulated firm that complies with sanctions, legislation enforcement orders, and court-mandated necessities,” a spokesperson mentioned in an e-mail to CoinDesk. “We freeze property when legally required, in step with the rule of legislation and with sturdy protections for person rights and privateness.”
‘Grey zone’
The episode highlights a deeper pressure that’s drawing rising scrutiny as stablecoins develop.
Tokens like USDC have gotten a core a part of world cash flows, particularly for cross-border funds and buying and selling. On the identical time, they’re additionally utilized in illicit exercise, placing issuers below stress to behave shortly when issues go fallacious.
Based on TRM Labs, roughly $141 billion in stablecoin transactions in 2025 have been linked to illicit exercise, together with sanctions evasion and cash laundering.
Blockchain safety corporations pointed to North Korean hackers as probably being behind the Drift exploit.
Stablecoins issued by centralized, regulated entities like Circle’s USDC are designed to be programmable and controllable, a characteristic that may assist cease illicit flows however might additionally elevate considerations about overreach and due course of.
Within the Drift exploit’s case, the scenario is not that clear-cut, mentioned Ben Levit, founder and CEO of stablecoin scores company Bluechip.
“I believe persons are framing this too simplistically as ‘Circle ought to’ve frozen,'” he mentioned. “This wasn’t a clear hack, it was extra of a market/oracle exploit, which places it in a grey zone.”
“So any motion by Circle turns into a judgment name, not only a compliance resolution,” he added.
To him, the larger problem is consistency. “USDC cannot be positioned as impartial infrastructure whereas additionally permitting discretionary intervention with out clear guidelines,” Levit mentioned. “Markets can deal with strict insurance policies or no intervention, however ambiguity is far tougher to cost.”
That leaves issuers in a tough place. Shifting too slowly dangers criticism that they’re enabling unhealthy actors, whereas performing too shortly with out authorized backing raises considerations about overreach.
And in fast-moving exploits, that trade-off turns into particularly stark, with the window to behave typically measured in minutes fairly than weeks or months of authorized processes.
