Key Highlights
- The lawsuit claims Circle failed to freeze $230M in USDC, allowing North Korea backed hackers to move funds and deepen losses after the Drift Protocol exploit.
- Legal case raises concerns over stablecoin issuers’ duty as courts and regulators debate control over user funds.
- Crypto industry split as analysts debate if firms should act faster or wait for legal orders before freezing assets.
A class action lawsuit filed in the U.S. District Court of Massachusetts has put Circle Internet Financial under intense legal scrutiny over its handling of the April 1, 2026, Drift Protocol exploit. The case, brought by Drift investor Joshua McCollum on behalf of over 100 affected users, alleges that Circle failed to intervene as North Korea backed hackers siphoned funds during the roughly $280 million attack—the largest DeFi exploit of 2026 to date.
The complaint centers on the movement of approximately $230 million in USDC. According to the filing, hackers utilized Circle’s Cross-Chain Transfer Protocol (CCTP) to bridge the stolen stablecoins from Solana to Ethereum over a span of several hours. Plaintiffs argue that this delay allowed the attackers to successfully launder the funds, increasing investor losses and raising serious questions about accountability in core crypto infrastructure.
Legal pressure builds on stablecoin issuers
The plaintiff’s legal team stated, “Circle permitted this criminal use of its technology and services.” They added, “These losses would not have occurred, or would have been substantially reduced, had Circle taken timely action.”
The lawsuit accuses Circle of negligence and aiding unlawful conversion, “Given Circle’s history of inaction, it is likely the Attackers had high confidence Circle would not freeze the USDC or the bridge transactions that were instrumental to their heist. This assumption proved to be correct. Circle allowed them free use of its cryptocurrency and bridge services over the approximately eight-hour getaway period.”
The lawsuit also pointed to a previous case in which the company froze 16 wallets under court direction. They argue this shows Circle had both the technical ability and precedent to act sooner.
The issue also brings to light a wider loophole in cryptocurrency regulation. Organizations such as Circle usually have to use court orders to freeze their customers’ money, hence the possibility of delaying actions. It is also questionable to what extent these firms are supposed to have such powers.
Industry divided over responsibility
Responses from the cryptocurrency community have been mixed. Bloomberg analyst James Seyffart was critical of the ambiguity, saying, “Either you’re a decentralized protocol and literally do not have the power to freeze or you’re not and you should be freezing hacked funds. This middle ground hand wavy “only with a court order” stuff is weak.”
In contrast, ARK Invest’s director Lorenzo Valente defended Circle’s stance, warning that acting without legal backing could lead to arbitrary decisions. He added, “Every future freeze is now a judgment call.” The split highlights ongoing tension between security concerns and legal consistency.
Meanwhile, Drift said on Thursday it had lined up a recovery package totaling up to $147.5 million, with $127.5 million expected from Tether and a further $20 million from partner firms. In a statement, the team said the plan is designed to compensate affected users after the April 1 exploit and support the platform’s return, with a shift toward operating as a USDT-based perpetual exchange on Solana.
This lawsuit could set a historic precedent for how courts approach the liability of stablecoin issuers and cross-chain bridge operators in the aftermath of DeFi exploits. The outcome will likely force regulatory agencies worldwide to reconsider their frameworks on asset freezing, potentially reshaping the operational responsibilities of centralized crypto entities.
Also Read: $20M Crypto Scam Ends in 23-Year Sentence for Texas Man
