After the $285 million Drift hack, the focus is shifting to Circle (CRCL) and whether it could have done more to stop the money.
The attacker siphoned off roughly $71 million in USDC as part of the exploit Wednesday, according to blockchain security firm PeckShield. After converting most of the rest of the stolen assets to USDC, the hacker used Circle’s cross-chain transfer protocol, CCTP, to bridge about $232 million in USDC from Solana to Ethereum, making recovery efforts more difficult.
That movement has drawn criticism from parts of the crypto community, including prominent blockchain investigator ZachXBT, who argued Circle could have acted faster to limit the damage.
“Why should crypto businesses continue to build on Circle when a project with 9 fig[ure] TVL [total value locked] could not get support during a major incident?,” he said in an X post following the attack.
To freeze or not to freeze
The company had tools at its disposal, ZachXBT pointed out. Under its own terms, Circle reserves the right to blacklist addresses and freeze USDC tied to any suspicious activity.
Preemptively freezing wallets linked to the exploit could have slowed or stopped the attacker’s ability to move funds, one stablecoin infrastructure firm founder told CoinDesk.
However, acting without a court order or law enforcement request might expose Circle to legal risk, the person added.
Salman Banei, general counsel of tokenized asset network Plume, said freezing assets without formal authorization could expose issuers to liability if done incorrectly. He argued regulators should address that legal gap.
“Lawmakers should provide a safe harbor from civil liability if digital asset issuers freeze assets when, in their reasonable judgment, there is strong basis to believe that illicit transfers have occurred,” Banei said.
That constraint was central to the company’s response.
“Circle is a regulated company that complies with sanctions, law enforcement orders, and court-mandated requirements,” a spokesperson said in an email to CoinDesk. “We freeze assets when legally required, consistent with the rule of law and with strong protections for user rights and privacy.”
‘Gray zone’
The episode highlights a deeper tension that’s drawing increasing scrutiny as stablecoins grow.
Tokens like USDC are becoming a core part of global money flows, especially for cross-border payments and trading. At the same time, they are also used in illicit activity, putting issuers under pressure to act quickly when things go wrong.
According to TRM Labs, roughly $141 billion in stablecoin transactions in 2025 were linked to illicit activity, including sanctions evasion and money laundering.
Blockchain security firms pointed to North Korean hackers as likely being behind the Drift exploit.
Stablecoins issued by centralized, regulated entities like Circle’s USDC are designed to be programmable and controllable, a feature that can help stop illicit flows but could also raise concerns about overreach and due process.
In the Drift exploit’s case, the situation isn’t that clear-cut, said Ben Levit, founder and CEO of stablecoin ratings agency Bluechip.
“I think people are framing this too simplistically as ‘Circle should’ve frozen,'” he said. “This wasn’t a clean hack, it was more of a market/oracle exploit, which puts it in a gray zone.”
“So any action by Circle becomes a judgment call, not just a compliance decision,” he added.
To him, the bigger issue is consistency. “USDC can’t be positioned as neutral infrastructure while also allowing discretionary intervention without clear rules,” Levit said. “Markets can handle strict policies or no intervention, but ambiguity is much harder to price.”
That leaves issuers in a difficult position. Moving too slowly risks criticism that they are enabling bad actors, while acting too quickly without legal backing raises concerns about overreach.
And in fast-moving exploits, that trade-off becomes especially stark, with the window to act often measured in minutes rather than weeks or months of legal processes.
