Circle, the company behind USDC, the second-largest stablecoin in the world, is now facing a class action lawsuit for something it did not do. On April 1, hackers drained approximately $285 million from Drift Protocol, a Solana-based decentralised derivatives exchange, in the biggest DeFi hack of 2026. Over the following hours, the attackers converted most of the stolen funds to USDC and bridged roughly $230 million from Solana to Ethereum using Circle’s own Cross-Chain Transfer Protocol. Circle did not freeze the funds. Now over 100 investors are asking a federal court why not.
What Happened at Drift
The April 1 Drift Protocol exploit was one of the most significant DeFi thefts of the year. Security analysis indicates that the attackers did not simply exploit buggy code. The incident appears to have involved privileged-access abuse, governance compromise, and social-engineering tactics.
The attackers used a technique called a “durable nonce” to trick members of Drift’s Security Council into signing transactions that looked routine. Those pre-signed approvals sat unused for days, then were activated all at once on April 1, giving the hackers full administrative control of the protocol. The entire drain took less than 12 minutes. What happened next took eight hours.
Attackers used Circle’s Cross-Chain Transfer Protocol to move USDC from Solana to Ethereum over a period of hours, then converted the stablecoin into Ether and routed funds through the Tornado Cash privacy tool to obscure the trail. Analysts who reviewed the transactions reported a pattern and timing consistent with transfers by state-backed North Korean actors, with more than 100 transfers via the bridge during US business hours.
What the Lawsuit Claims
The lawsuit was filed by Drift investor Joshua McCollum on behalf of over 100 members in a US district court in Massachusetts. It accuses Circle of allowing the attackers to transfer about $230 million worth of USDC from Solana to Ethereum via Circle’s CCTP over several hours without intervention. “Circle permitted this criminal use of its technology and services,” attorneys representing McCollum wrote. “These losses would not have occurred, or would have been substantially reduced, had Circle taken timely action.”
The plaintiffs are not arguing that Circle caused the hack. They are arguing that Circle watched stolen money flow through its own infrastructure for eight hours and did nothing to stop it.
McCollum’s lawyers pointed out that Circle froze 16 USDC wallets in connection with a sealed US civil case about a week before the Drift incident, arguing that Circle had the technical capacity to do the same. That detail is potentially devastating for Circle’s defence. If you freeze wallets one week and then decline to freeze wallets the next week when $230 million is being laundered through your bridge, the question of why you chose not to act becomes very difficult to answer.
Circle’s Position
Circle CEO Jeremy Allaire has been direct about the company’s stance. Speaking at a press conference in Seoul, Allaire said Circle freezes USDC wallets only when directed by law enforcement or courts, not in real time during hacks. He positioned USDC as a regulated financial product rather than a tool for real-time intervention. “Circle has a very, very clear performance obligation under the law,” Allaire said.
The legal logic is coherent. Circle argues that freezing assets without a court order would expose it to liability from the other direction. If it freezes the wrong wallet, blocks a legitimate user, or acts on bad intelligence, it faces lawsuits from the people whose funds it froze. In a world where transactions happen in minutes but court orders take days, that gap creates a genuine dilemma.
But the optics are brutal. Rival Tether, the issuer of the world’s largest stablecoin USDT, has a more proactive approach. The company has repeatedly frozen funds linked to hacks and illicit activity within hours. In several cases cited by blockchain investigator ZachXBT, including exploits affecting Ledger and Remitano, Tether blacklisted stolen funds while equivalent USDC remained untouched.
Why This Case Could Reshape the Stablecoin Industry
The lawsuit is not just about Drift or Circle. It is about a question that the entire stablecoin industry will eventually need to answer: if you build a centralised stablecoin that you market as regulated, compliant, and safe, and you retain the technical ability to freeze funds at any time, are you legally obligated to use that power when stolen money crosses your bridge?
Right now, there is no clear legal standard. The GENIUS Act, the US stablecoin law signed last year, establishes licensing and reserve requirements for stablecoin issuers but does not specifically address freeze obligations during live exploits. The CLARITY Act, still working through the Senate, does not resolve this question either.
The case could reshape expectations for the entire stablecoin sector. Circle’s own disclosures may undercut its public posture. Circle’s published USDC materials say it may block or freeze addresses in certain circumstances, giving plaintiffs room to argue that Circle was not powerless at all, but selectively passive.
ZachXBT analysed Circle’s freeze patterns across multiple incidents, concluding that the company’s failure to freeze over $230 million in Drift funds after approximately six hours was “unacceptable” and represented a fundamental failure of user protection. His analysis revealed a pattern across 15 separate incidents since 2022 where either delayed action or complete inaction had allowed stolen funds to escape freeze.
If the court finds that Circle had a duty to act and failed, every stablecoin issuer in the world will need to rethink its response protocols. If the court finds Circle had no duty, then the $185 billion USDC network operates with a level of legal protection for hackers that most users do not understand. Either outcome changes the rules.
