After the $285 million Drift hack, the main focus is shifting to Circle (CRCL) and whether or not it may have completed extra to cease the cash.
The attacker siphoned off roughly $71 million in USDC as a part of the exploit Wednesday, in keeping with blockchain safety agency PeckShield. After changing many of the remainder of the stolen property to USDC, the hacker used Circle’s cross-chain switch protocol, CCTP, to bridge about $232 million in USDC from Solana to Ethereum, making restoration efforts harder.
That motion has drawn criticism from components of the crypto group, together with outstanding blockchain investigator ZachXBT, who argued Circle may have acted quicker to restrict the harm.
“Why should crypto businesses continue to build on Circle when a project with 9 fig[ure] TVL [total value locked] could not get support during a major incident?,” he stated in an X submit following the assault.
To freeze or to not freeze
The corporate had instruments at its disposal, ZachXBT identified. Beneath its personal phrases, Circle reserves the proper to blacklist addresses and freeze USDC tied to any suspicious exercise.
Preemptively freezing wallets linked to the exploit may have slowed or stopped the attacker’s capacity to maneuver funds, one stablecoin infrastructure agency founder informed CoinDesk.
Nevertheless, performing with out a courtroom order or regulation enforcement request may expose Circle to authorized danger, the particular person added.
Salman Banei, basic counsel of tokenized asset community Plume, stated freezing property with out formal authorization may expose issuers to legal responsibility if completed incorrectly. He argued regulators ought to deal with that authorized hole.
“Lawmakers should provide a safe harbor from civil liability if digital asset issuers freeze assets when, in their reasonable judgment, there is strong basis to believe that illicit transfers have occurred,” Banei stated.
That constraint was central to the corporate’s response.
“Circle is a regulated company that complies with sanctions, law enforcement orders, and court-mandated requirements,” a spokesperson stated in an e-mail to CoinDesk. “We freeze assets when legally required, consistent with the rule of law and with strong protections for user rights and privacy.”
‘Grey zone’
The episode highlights a deeper stress that’s drawing rising scrutiny as stablecoins develop.
Tokens like USDC have gotten a core a part of international cash flows, particularly for cross-border funds and buying and selling. On the similar time, they’re additionally utilized in illicit exercise, placing issuers underneath strain to behave rapidly when issues go flawed.
In response to TRM Labs, roughly $141 billion in stablecoin transactions in 2025 have been linked to illicit exercise, together with sanctions evasion and cash laundering.
Blockchain safety companies pointed to North Korean hackers as possible being behind the Drift exploit.
Stablecoins issued by centralized, regulated entities like Circle’s USDC are designed to be programmable and controllable, a characteristic that may assist cease illicit flows however may additionally increase considerations about overreach and due course of.
Within the Drift exploit’s case, the scenario is not that clear-cut, stated Ben Levit, founder and CEO of stablecoin rankings company Bluechip.
“I think people are framing this too simplistically as ‘Circle should’ve frozen,'” he stated. “This wasn’t a clean hack, it was more of a market/oracle exploit, which puts it in a gray zone.”
“So any action by Circle becomes a judgment call, not just a compliance decision,” he added.
To him, the larger situation is consistency. “USDC can’t be positioned as neutral infrastructure while also allowing discretionary intervention without clear rules,” Levit stated. “Markets can handle strict policies or no intervention, but ambiguity is much harder to price.”
That leaves issuers in a tough place. Transferring too slowly dangers criticism that they’re enabling dangerous actors, whereas performing too rapidly with out authorized backing raises considerations about overreach.
And in fast-moving exploits, that trade-off turns into particularly stark, with the window to behave usually measured in minutes relatively than weeks or months of authorized processes.
