Key Takeaways
- An attacker drained $285 million from Drift protocol, transferring $232 million in USDC between blockchains via Circle’s cross-chain transfer protocol
- ZachXBT, a prominent blockchain investigator, criticized Circle for insufficient speed in freezing compromised assets
- Circle maintains its policy requires court orders or law enforcement requests before freezing any assets
- According to ZachXBT’s research, Circle allowed $420 million in stolen USDC to flow through 15 separate incidents beginning in 2022
- Legal professionals caution that unauthorized asset freezing could create significant liability risks for Circle
The USDC stablecoin issuer Circle finds itself under intense scrutiny following this week’s massive $285 million breach of the Drift protocol.
The perpetrator extracted approximately $71 million in USDC tokens directly from Drift’s reserves. Following the initial theft, the attacker converted additional stolen cryptocurrency into USDC before leveraging Circle’s proprietary cross-chain transfer protocol (CCTP) to shift roughly $232 million worth of USDC from the Solana blockchain to Ethereum.
This cross-chain movement significantly complicated asset recovery efforts while simultaneously placing Circle at the center of industry controversy.
Prominent blockchain investigator ZachXBT emerged as a leading voice challenging Circle’s response. He contended that Circle possessed the necessary infrastructure to blacklist wallet addresses and immobilize funds yet failed to deploy these capabilities during the critical attack window.
“Why should crypto businesses continue to build on Circle when a project with nine-figure TVL could not get support during a major incident?” he posted on X.
Circle’s Official Response
Circle issued a firm rebuttal to these allegations. Speaking with CoinDesk, a company representative emphasized that Circle operates under regulatory constraints and exclusively freezes assets when compelled by legal instruments, including court directives or formal law enforcement requests.
“We freeze assets when legally required, consistent with the rule of law and with strong protections for user rights and privacy,” the spokesperson said.
Salman Banei, who serves as general counsel at Plume, a tokenized asset network, supported Circle’s stance. He emphasized that acting without proper legal authorization could create substantial liability exposure for stablecoin issuers. Banei advocated for legislative action to establish legal safe harbor provisions enabling issuers to respond more rapidly in unambiguous theft scenarios.
The incident has generated nuanced interpretations across the industry. Ben Levit, who leads stablecoin ratings agency Bluechip as CEO, characterized the Drift exploit as primarily involving market and oracle manipulation rather than a conventional security breach, positioning it within a complex legal framework.
“Any action by Circle becomes a judgment call, not just a compliance decision,” Levit said.
ZachXBT Alleges Broader Pattern of Non-Intervention
ZachXBT expanded his critique with broader allegations that Circle has declined to freeze or blacklist approximately $420 million in illicit USDC movement spanning 15 distinct incidents beginning in 2022.
His documented cases include allegations that Circle failed to freeze $9 million connected to the GMX exchange breach in July 2025, and that wallet addresses associated with the $200 million Cetus DEX attack received blacklist designation only after the funds had already been converted from USDC into other assets.
ZachXBT emphasized that his $420 million calculation encompasses only widely publicized major cases, suggesting the actual total could substantially exceed this figure.
Circle previously investigated “reversible” USDC transaction capabilities in September 2025, a mechanism designed to enable fund rollbacks in theft situations. The company has historically frozen USDC under specific circumstances, including assets connected to Tornado Cash addresses sanctioned by US authorities in 2022.
Blockchain security analysts have attributed the Drift exploit to threat actors affiliated with North Korean state operations.
