Circle Had 6 Hours to Freeze $285M in Stolen USDC — It Did Nothing
Six hours. That is how long $232 million in stolen USDC streamed across Circle's own Cross-Chain Transfer Protocol (CCTP) from Solana to Ethereum — during U.S. business hours, in broad daylight, on April Fool's Day 2026 — while the company that mints and controls every USDC token in existence watched and did nothing. The Drift Protocol exploit, now confirmed as the largest DeFi hack of 2026, has ignited a furious debate about what stablecoin issuers owe the ecosystem and whether "selective enforcement" is worse than no enforcement at all.
The Drift Protocol Heist: $285 Million in 12 Minutes
On April 1, 2026, attackers drained $285 million from Drift Protocol, a leading Solana-based perpetual futures exchange. The exploit was not a simple smart contract bug. Blockchain analytics firm Elliptic attributed the attack to North Korea's Lazarus Group — the same state-sponsored hackers behind the $1.4 billion Bybit breach — marking their eighteenth known crypto operation in 2026 alone.
The attackers spent three weeks laying the groundwork. Starting March 11, they pulled ETH from Tornado Cash and deployed a fake collateral token called CVT (carbonvote token), seeding minimal liquidity on Raydium and wash-trading to maintain a price near $1.00. Between March 23 and March 30, the attacker created multiple "durable nonce" accounts — a legitimate Solana feature that allows transactions to be pre-signed and executed later without expiring.
Through social engineering, two of Drift's five Security Council multisig signers were tricked into pre-signing what appeared to be routine transactions. Those signatures, combined with the durable nonce exploit, gave the attacker protocol-level administrative control. In just 12 minutes, they emptied Drift's core vaults — making it the second-largest Solana exploit in history, behind only the $326 million Wormhole bridge hack.
What happened next is where the story gets damning for Circle.
Six Hours, 100+ Transactions, Zero Intervention
The attacker consolidated the stolen assets — predominantly USDC and SOL — and began bridging them from Solana to Ethereum using Circle's own CCTP. Over approximately six hours and more than 100 individual transactions, $232 million in USDC moved through Circle's infrastructure.
This was not a midnight operation in some obscure timezone. The bridging activity occurred during U.S. business hours, when Circle's compliance and operations teams were presumably at their desks. Blockchain investigator ZachXBT broke the silence first: "Circle was asleep while many millions of USDC were swapped via CCTP from Solana to Ethereum for hours from the 9-figure Drift hack during US hours."
Circle's response? The company said it freezes assets only when "legally required" — in response to sanctions designations, law enforcement orders, or court mandates. Without a formal legal directive, Circle maintained, it could not unilaterally freeze the funds.
The Selective Enforcement Problem
Circle's legal argument might have held up — if not for what happened nine days earlier.
On March 23, 2026, Circle froze USDC balances across 16 wallets tied to a sealed U.S. civil case. Five of those wallets were later unfrozen after the community flagged that they belonged to legitimate businesses. ZachXBT called the March 23 freeze "potentially the single most incompetent" action he had witnessed in five years of on-chain investigations.
The juxtaposition is stark: Circle moved swiftly to freeze accounts in a civil lawsuit — potentially disrupting innocent businesses — but stood idle as hundreds of millions in hack proceeds flowed through its own bridge in real time. The community's conclusion was damning: Circle freezes when lawyers ask, not when users are robbed.
On April 3, ZachXBT escalated further, publishing what he called the "Circle USDC Files" — a detailed thread alleging over $420 million in compliance failures across at least fifteen cases dating back to 2022. In each case, he argued, Circle had the technical capability to intervene but chose not to.
The $3.3 Billion Gap: How Tether's Approach Differs
Circle's inaction looks even more conspicuous when compared to its rival, Tether. Between 2023 and 2025, Tether froze $3.3 billion in USDT across 7,268 blacklisted addresses — nearly 30 times the $109 million Circle froze across just 372 addresses during the same period, according to a report by AMLBot.
Tether's more aggressive posture extends beyond simple freezing. The company has the ability to burn frozen tokens and reissue replacement ones, effectively returning stolen funds to victims or law enforcement. Over 2,800 of Tether's blocked addresses were coordinated directly with U.S. agencies.
The philosophical difference is clear. Tether, historically domiciled in the BVI and now based in El Salvador, operates with a more interventionist posture — freezing first, navigating legal nuances later. Circle, a U.S.-regulated entity preparing for its long-awaited IPO, takes a strictly legalistic approach: no court order, no freeze.
But the Drift hack exposed the fatal flaw in Circle's framework. When the largest hack of 2026 unfolds on your own bridge during business hours and your response is effectively "not our problem," the market starts to question whether the compliance-first brand is actually a compliance-avoidance excuse.
The Impossible Trilemma: Compliance, Speed, and Decentralization
The Drift-Circle controversy reveals a deeper structural problem for the entire stablecoin industry — what might be called the "stablecoin freeze trilemma."
Freeze too aggressively, and you alienate DeFi users and risk freezing innocent accounts (as Circle demonstrated on March 23). You also invite legal liability for acting without proper authorization.
Freeze too slowly (or not at all), and hundreds of millions flow to state-sponsored hackers. You lose credibility as critical financial infrastructure.
Remove freeze capability entirely, and you cannot comply with regulations — and may enable even worse outcomes.
Ripple CTO Emeritus David Schwartz weighed in on this exact tension after the Drift hack. Responding to Columbia Business School professor Omid Malekan's prediction that a "no-freeze" stablecoin would emerge as a competitive differentiator, Schwartz argued it is fundamentally impossible: "The whole point of a stablecoin is that it represents a legal obligation of the issuer to redeem for fiat. A court order dissolves that legal obligation." If some stablecoins in circulation no longer represent redeemable obligations, the entire token becomes a fractional reserve — undermining the very stability that defines it.
The Regulatory Reckoning
The timing of the Drift hack could not be worse — or more revealing — for the stablecoin regulatory agenda.
The GENIUS Act, now signed into law, explicitly requires stablecoin issuers to maintain the technical capability to freeze tokens when legally required. But "legally required" is precisely the gray zone Circle is exploiting. The law mandates freeze capability; it does not mandate real-time response to active hacks absent a court order.
Meanwhile, the Financial Action Task Force (FATF) is pushing for a more proactive model. Its March 2026 targeted report encourages issuers and Virtual Asset Service Providers to monitor the entire stablecoin lifecycle — including peer-to-peer transactions — and to automate "multi-hop" analysis that can block sanctioned and high-risk addresses from transacting in real time.
The contrast with traditional finance is instructive. Under Regulation E, U.S. banks must provide provisional credit to fraud victims within 10 business days. The banking system has clear, enforceable response time expectations. The stablecoin market — now worth over $308 billion — has none.
If Circle's legal position is that it cannot freeze stolen funds without a court order, then the industry needs a mechanism to obtain emergency orders in hours, not weeks. If Circle's actual position is that it chooses not to freeze without a court order — while retaining the discretion to freeze in civil cases — then the selective enforcement problem is a governance crisis, not a legal one.
What Comes Next
The Drift hack and Circle's non-response will likely accelerate several trends already in motion:
-
Automated freeze protocols: On-chain monitoring firms like Elliptic, TRM Labs, and Chainalysis already track stolen funds in real time. The missing link is a pre-authorized, smart-contract-based freeze mechanism that can be triggered by verified hack detection — similar to how credit card networks automatically flag suspicious transactions.
-
Stablecoin SLAs: Just as banks have legally mandated response times for fraud, stablecoin issuers may face regulatory requirements for response time commitments — especially when funds move through their own proprietary infrastructure like CCTP.
-
Competitive pressure on issuers: Tether's 30x freeze advantage over Circle is now a marketing point, not just a compliance metric. New entrants like Ripple's RLUSD are explicitly designing freeze mechanisms to be GENIUS Act-compliant from day one.
-
DeFi security upgrades: The Drift exploit itself — social engineering multisig signers into pre-signing durable nonce transactions — will force protocols to rethink administrative key management. Time-locked execution, hardware security modules, and independent verification of multisig transactions will likely become standard.
The $308 billion stablecoin market sits at the center of crypto's institutional ambitions. Every major bank, asset manager, and fintech company exploring blockchain infrastructure depends on the assumption that stablecoins are reliable — not just in their peg, but in the governance framework surrounding them.
Circle had six hours to demonstrate that USDC is critical financial infrastructure worthy of the institutional trust it courts. Instead, it demonstrated that when the largest hack of 2026 unfolded on its own rails, the answer was silence.
The market will not forget that.
Building on blockchain infrastructure requires partners you can trust to perform when it matters most. BlockEden.xyz provides enterprise-grade RPC and API services across 20+ chains — designed with the reliability and transparency that mission-critical applications demand.