The $280 million exploit of Solana-based Drift Protocol on April 1, 2026—attributed with medium-high confidence to North Korean state-affiliated hackers by the SEAL 911 team and corroborated by blockchain analytics firms Elliptic and TRM Labs—has become more than a security postmortem. It has ignited one of the most consequential policy debates in decentralized finance: when a centralized entity has the power to stop stolen funds from moving, what happens when it chooses not to?
The debate, which has played out publicly on X over the past two weeks, features prominent voices from across crypto’s security, legal, and policy communities—and has now escalated into a federal lawsuit.
Circle’s Inaction During the Exploit
During the Drift hack, attackers drained approximately $280 million in assets, including USDC, JLP, and SOL-based tokens, within roughly 12 minutes. The stolen USDC was subsequently bridged from Solana to Ethereum via Circle’s own Cross-Chain Transfer Protocol (CCTP).
On-chain investigator ZachXBT was among the first to publicly criticize Circle’s response, noting that over $230 million in illicit activity was laundered over a period of hours in what he described as a “clear cut case.” He argued that Circle, as a centralized stablecoin issuer with freeze capability at the smart contract level, had both the means and the obligation to act.
Security researcher Tay (tayvano_), who works closely with incident response teams, offered a detailed account of the broader ecosystem’s response. According to her public posts, bridges temporarily blocked SOL-to-ETH routes, frontends blocked flagged addresses, and the Drift and Squads teams coordinated with security experts to contain the threat. “EVERYONE ELSE ACTED to respond to the incident and take the steps THEY COULD to mitigate the harm,” she wrote on X. “The only ones who sat and did NOTHING was Circle.”
Circle’s Defense
Circle CEO Jeremy Allaire has publicly addressed the criticism. He stated that Circle only freezes USDC wallets at the direction of law enforcement or courts and that acting outside of established legal processes could create “a significant moral quandary.”
Allaire expressed concern about the risks of unilateral action, stating, “If there are others that believe that Circle should just step away from what the law says and do its own, make its own decisions, I think it’s a very risky proposition.”
Neeraj K. Agrawal, a crypto policy commentator, echoed a similar position, arguing that it is “better that Circle has consistent standards and not enforcing freezing at the whims of the mob.” He warned that once Circle lowers its threshold for freezing, it would “become liable for everything they don’t freeze.”
The Legal and Philosophical Divide
The debate has drawn in legal voices who highlight the complexity of the issue. Attorney James Farrell raised concerns about the legal precedent of imposing a duty to act, noting that the same logic used to criticize Circle could be applied to decentralized protocol developers who chose not to build freeze mechanisms into their code. “The slope gets slippery,” he wrote.
ZachXBT pushed back, drawing a distinction between centralized and decentralized infrastructure. He noted that Tornado Cash, which was OFAC-sanctioned and continued operating normally afterward, had no backend freeze capability — only optional frontend blocks. Circle, by contrast, controls freeze functions at both the frontend and smart contract levels. “They are not the same,” he wrote.
Jacob Robinson, a legal analyst, proposed that law enforcement should be trained to respond to active hacks with rapid freeze orders, which stablecoin issuers would then execute. He described this as “the only path” where issuers are both forced to act quickly and protected from liability for erroneous freezes.
ZachXBT disagreed, saying he favors private sector self-regulation over reliance on government. He pointed to slow response times, limited crypto expertise among US law enforcement, and the high volume of inbound IC3 reports as structural barriers. He also cited a case in which an Indian law enforcement email was compromised and used to submit fraudulent documents to an exchange in an attempt to unfreeze DPRK funds.
The Case for Acting During Active Hacks
Tay offered the most detailed framework for when stablecoin issuers should intervene, arguing that active, publicly discussed hack situations are fundamentally different from routine freeze requests. She outlined a set of conditions—including incidents over $5 million, exclusively new addresses receiving funds, real-time public identification and challenge of flagged addresses, and a clearly identified victim—under which the risk of freezing the wrong party approaches “nearly zero.”
She contrasted this with the current legal pathway—emergency ex parte court orders—which she argued is both too slow to catch criminals and too fast to protect innocent parties. She cited instances where civil freeze orders affected 16 or more hot wallets belonging to legitimate bridge operators and service providers who had no recourse, no notification, and no way to challenge the freeze.
“The evidence is inherently verified, checked, double-checked, challenged, and agreed to be accurate via a large, independent variety of actual experts,” she wrote, arguing that public incident response produces more accurate outcomes than what typically occurs before a US judge in an ex parte proceeding.
The Centralization Paradox
At the core of the debate lies what ZachXBT called a fundamental contradiction: “Circle does not get to reap the benefits of both centralization and decentralization arbitrarily for when it best suits them.”
Circle earns interest on USDC reserves, maintains freeze capabilities at the contract level, and operates as a publicly traded centralized entity. Yet when asked to act during an active exploit, the company has pointed to its lack of legal authority to intervene without a court order—a position its critics argue selectively invokes decentralization principles that do not apply to a centralized issuer.
The distinction between centralized and decentralized infrastructure, ZachXBT argued, is not academic. “Aave, Sky, Tornado, etc are decentralized. Circle, Tether, Paxos, etc are centralized. It’s dangerous when industry leaders try to conflate them.”
Lawsuit and What Comes Next
On April 17, law firm Gibbs Mura filed a class action lawsuit against Circle on behalf of Drift Protocol investors, alleging that the company had both the technical and contractual authority to freeze the stolen USDC but failed to act promptly. The lawsuit further alleges that Circle’s delayed response worsened losses for victims.
Meanwhile, Tether has taken a contrasting approach. On April 16, the USDT issuer offered Drift Protocol a $147.5 million recovery package, including a $100 million revenue-linked credit line, an ecosystem grant, and loans to market makers—positioning itself as an active participant in post-hack recovery while Circle faces legal action for its inaction.
The Drift exploit and the debate it has sparked are unlikely to be resolved by any single lawsuit or policy proposal. But the questions raised—about the duties of centralized infrastructure providers, the limits of self-regulation, and the adequacy of existing legal frameworks for crypto’s speed—now sit at the center of an industry-wide reckoning.
Also Read: Circle Launches USDC Bridge Amid Drift’s USDT Switch Post-$280M Hack
