Stablecoin issuer Circle is facing mounting scrutiny from blockchain researchers after millions of USD Coin (USDC) were stolen and flowed unimpeded through its proprietary bridge during the $285 million exploit of the Solana-based Drift Protocol.
The inaction during the April 1 attack, which is now the largest decentralized finance (DeFi) hack of 2026, stands in stark contrast to Circle’s aggressive asset freeze tied to a sealed US civil case just days prior.
This juxtaposition has reignited debate over the responsibilities and inconsistencies of centralized stablecoin issuers operating within permissionless markets.
According to on-chain investigator ZachXBT, the attackers bridged more than $230 million in USDC from Solana to Ethereum across over 100 transactions using Circle’s Cross-Chain Transfer Protocol (CCTP).
Drift Exploit Transaction Tracing (Source: Elliptic)Why this matters: The episode highlights a structural tension in crypto markets: stablecoins like USDC operate inside permissionless systems but retain centralized control. When that control is applied inconsistently, it raises new risks for users, protocols, and regulators trying to understand where intervention will, or will not, occur during a crisis.
The transfers occurred over several hours during the US business day, giving the New York-headquartered issuer ample time to intervene.
This view was corroborated by other security experts, who noted that the attacker held stolen USDC across multiple wallets for one to three hours before bridging to Ethereum.
The hacker notably avoided converting the funds to Tether’s USDT, suggesting a calculated bet that Circle would not deploy its smart-contract blacklist authority.
That bet paid off because USDT is the largest stablecoin by market capitalization, and its issuer is renowned for blacklisting malicious attackers using its asset to shift funds.
The civil contrast
The timing of the exploit has intensified the backlash. On March 23, Circle froze the USDC balances of 16 unrelated corporate hot wallets and disrupted legitimate exchanges, casinos, and payment processors in response to a civil dispute.
ZachXBT previously characterized that action as “potentially the single most incompetent” freeze he had witnessed in five years.
Critics are now asking a fundamental question: If Circle claims the authority to freeze assets to enforce compliance, why does it apply that power aggressively against legitimate businesses while ignoring a confirmed, nine-figure heist transiting its own infrastructure?
However, Santisa, the pseudonymous CIO of investment firm Lucidity Cap, argued the opposite. He stated:
To date, Circle has blacklisted roughly $117 million across 601 wallets, according to Dune Analytics data, showing that the capability exists.
Circle’s USDC Blacklist (Source: Dune Analytics)Anatomy of the Drift exploit
The attack on Drift, previously the cornerstone of Solana’s DeFi ecosystem with over $550 million in Total Value Locked (TVL), was a highly sophisticated, weeks-long operation.
According to Drift Protocol’s post-mortem, the attackers compromised the protocol’s Security Council.
On March 30, they exploited a mechanism known as a “Durable Nonce” to quietly gain necessary multisig approvals.
The durable nonce is a tool designed to keep unconfirmed transactions valid indefinitely for offline approvals. Yu Xian, the founder of blockchain security firm Slowmist, said:
On April 1, the attackers shifted admin authority, initialized a fake asset called CVT, artificially inflated its value via oracle manipulation, and borrowed against the false collateral.
In short order, they drained the JLP Delta Neutral, SOL Super Staking, and BTC Super Staking vaults. DefiLlama data shows Drift’s TVL collapsed to under $250 million following the attack.
The fallout has spread rapidly across the Solana DeFi ecosystem, considering Drift’s prominent role.
According to reports, at least 20 third-party applications that relied on Drift’s vaults to generate yield have confirmed financial impact, including Prime Numbers Fi, which estimates losses exceeding $10 million.
Who is behind the attack?
While the identity of the attackers remains unknown as of press time, Drift stated on X that it had identified critical information about the parties involved in the exploit.
Meanwhile, security experts have noted that the sophisticated laundering methodology points to a familiar adversary of North Korean attackers.
Blockchain intelligence firm Elliptic reported that the on-chain behavior and network-level indicators align with operations conducted by the Democratic People’s Republic of Korea (DPRK).
Another blockchain security firm, Diverg, further stated:
If confirmed, the Drift exploit would mark the eighteenth DPRK-linked crypto theft this year, pushing the regime’s 2026 illicit haul past $300 million.
It arrives amid an escalation in state-sponsored attacks targeting crypto infrastructure, including a recent software supply chain compromise attributed by Google to the North Korean threat actor UNC1069.
Source: https://cryptoslate.com/circle-usdc-drift-hack-freeze-controversy/
