After the $285 million Drift hack, the main focus is shifting to Circle (CRCL) and whether or not it may have completed extra to cease the cash.
The attacker siphoned off roughly $71 million in USDC as a part of the exploit Wednesday, according to blockchain safety agency PeckShield. After changing a lot of the remainder of the stolen property to USDC, the hacker used Circle’s cross-chain switch protocol, CCTP, to bridge about $232 million in USDC from Solana to Ethereum, making restoration efforts tougher.
That motion has drawn criticism from components of the crypto neighborhood, together with distinguished blockchain investigator ZachXBT, who argued Circle may have acted sooner to restrict the injury.
“Why ought to crypto companies proceed to construct on Circle when a venture with 9 fig[ure] TVL [total value locked] couldn’t get help throughout a serious incident?,” he stated in an X put up following the assault.
To freeze or to not freeze
The corporate had instruments at its disposal, ZachXBT pointed out. Below its personal terms, Circle reserves the best to blacklist addresses and freeze USDC tied to any suspicious exercise.
Preemptively freezing wallets linked to the exploit may have slowed or stopped the attacker’s potential to maneuver funds, one stablecoin infrastructure agency founder informed CoinDesk.
Nevertheless, appearing with no courtroom order or legislation enforcement request would possibly expose Circle to authorized threat, the particular person added.
Salman Banei, basic counsel of tokenized asset community Plume, said freezing property with out formal authorization may expose issuers to legal responsibility if completed incorrectly. He argued regulators ought to tackle that authorized hole.
“Lawmakers ought to present a protected harbor from civil legal responsibility if digital asset issuers freeze property when, of their cheap judgment, there’s sturdy foundation to imagine that illicit transfers have occurred,” Banei stated.
That constraint was central to the corporate’s response.
“Circle is a regulated firm that complies with sanctions, legislation enforcement orders, and court-mandated necessities,” a spokesperson stated in an e mail to CoinDesk. “We freeze property when legally required, per the rule of legislation and with sturdy protections for consumer rights and privateness.”
‘Grey zone’
The episode highlights a deeper pressure that’s drawing rising scrutiny as stablecoins develop.
Tokens like USDC have gotten a core a part of world cash flows, particularly for cross-border funds and buying and selling. On the identical time, they’re additionally utilized in illicit exercise, placing issuers beneath stress to behave rapidly when issues go improper.
In response to TRM Labs, roughly $141 billion in stablecoin transactions in 2025 have been linked to illicit exercise, together with sanctions evasion and cash laundering.
Blockchain security corporations pointed to North Korean hackers as seemingly being behind the Drift exploit.
Stablecoins issued by centralized, regulated entities like Circle’s USDC are designed to be programmable and controllable, a characteristic that may assist cease illicit flows however may additionally elevate issues about overreach and due course of.
Within the Drift exploit’s case, the state of affairs is not that clear-cut, stated Ben Levit, founder and CEO of stablecoin scores company Bluechip.
“I feel persons are framing this too simplistically as ‘Circle ought to’ve frozen,'” he stated. “This wasn’t a clear hack, it was extra of a market/oracle exploit, which places it in a grey zone.”
“So any motion by Circle turns into a judgment name, not only a compliance determination,” he added.
To him, the larger subject is consistency. “USDC cannot be positioned as impartial infrastructure whereas additionally permitting discretionary intervention with out clear guidelines,” Levit stated. “Markets can deal with strict insurance policies or no intervention, however ambiguity is way tougher to cost.”
That leaves issuers in a troublesome place. Transferring too slowly dangers criticism that they’re enabling dangerous actors, whereas appearing too rapidly with out authorized backing raises issues about overreach.
And in fast-moving exploits, that trade-off turns into particularly stark, with the window to behave typically measured in minutes quite than weeks or months of authorized processes.
