Key Takeaways
- Cybercriminals drained $285 million from Drift protocol, transferring $232 million in USDC between blockchains via Circle’s Cross-Chain Transfer Protocol
- Crypto sleuth ZachXBT criticized Circle for not acting quickly enough to freeze the stolen assets during the breach
- Circle maintains it operates within regulatory boundaries and only freezes funds when mandated by legal authorities or court directives
- According to ZachXBT, Circle has neglected to freeze approximately $420 million in stolen USDC spanning 15 incidents since 2022
- Legal professionals caution that freezing digital assets without proper authorization could subject Circle to legal consequences
The stablecoin issuer Circle is under intense scrutiny following its response to this week’s massive $285 million security breach targeting the Drift protocol.
The perpetrator initially extracted approximately $71 million in USDC directly from Drift’s platform. Following the conversion of most other stolen digital assets into USDC, the cybercriminal leveraged Circle’s Cross-Chain Transfer Protocol (CCTP) to shift roughly $232 million worth of USDC tokens from the Solana blockchain to Ethereum.
This cross-chain movement significantly complicated fund recovery efforts and placed Circle squarely in the crosshairs of community criticism.
On-chain sleuth ZachXBT emerged as a prominent voice challenging Circle’s approach. He contended that despite having the technical capability to blacklist addresses and immobilize funds, Circle failed to respond swiftly during the ongoing attack.
“Why should crypto businesses continue to build on Circle when a project with nine-figure TVL could not get support during a major incident?” he posted on X.
Circle’s Official Response
Circle rejected the accusations in a statement to CoinDesk. A company representative emphasized that as a regulated entity, Circle exclusively freezes digital assets when compelled by legal requirements, including judicial orders or formal requests from law enforcement agencies.
“We freeze assets when legally required, consistent with the rule of law and with strong protections for user rights and privacy,” the spokesperson said.
Salman Banei, who serves as general counsel at tokenized asset platform Plume, supported Circle’s stance. He explained that freezing assets without official legal authorization could create liability risks for stablecoin issuers. Banei advocated for legislative action to establish legal protections that would enable issuers to respond more rapidly in unambiguous theft scenarios.
Not everyone views the situation as straightforward. Ben Levit, who leads stablecoin evaluation firm Bluechip, characterized the Drift incident as involving market and oracle manipulation rather than a conventional hack, positioning it in murky legal territory.
“Any action by Circle becomes a judgment call, not just a compliance decision,” Levit said.
ZachXBT Alleges Systematic Failure to Act
ZachXBT expanded his criticism beyond the Drift incident, asserting that Circle has declined to freeze or blacklist approximately $420 million in illicit USDC transfers across 15 distinct incidents dating back to 2022.
He specifically highlighted that Circle allegedly failed to freeze $9 million stolen during the GMX exchange breach in July 2025, and that addresses associated with the $200 million Cetus DEX exploit were only blacklisted after the criminals had already converted the funds away from USDC.
ZachXBT noted that his $420 million estimate encompasses only widely publicized cases, suggesting the actual total could be substantially higher.
Circle had previously investigated implementing “reversible” USDC transactions in September 2025, a mechanism that could enable transaction rollbacks in theft situations. The company has historically frozen USDC in specific circumstances, including assets connected to Tornado Cash wallets sanctioned by US authorities in 2022.
Cybersecurity researchers have attributed the Drift exploit to hacking groups affiliated with North Korea’s government.
