More than $230 million in USD Coin (USDC) moved across chains after the April 1 Drift exploit, triggering a lawsuit against issuer Circle. The case tests how far stablecoin operators must act during active exploits, a question with direct implications for DeFi risk management.
Joshua McCollum, a Drift investor, filed the claim in a U.S. district court in Massachusetts on behalf of over 100 affected users. The suit alleges Circle failed to intervene as stolen funds moved via its Cross-Chain Transfer Protocol over several hours. Claims include negligence and aiding and abetting conversion, with damages to be determined at trial.
Could Circle Have Stopped The Cross-Chain Flows?
The dispute stems from the Drift Protocol exploit on Solana, where attackers drained more than $285 million, over half the platform’s total value locked (TVL). Data from DeFiLlama shows TVL has since fallen to about $251 million from a $1.5 billion peak in September 2025, highlighting the scale of capital flight.
Attorneys for the claimants argue Circle had both the technical ability and precedent to act, citing a prior freeze of 16 USDC-linked wallets tied to a U.S. civil case.
“Circle permitted this criminal use of its technology and services,” the legal team wrote, adding that losses could have been reduced with earlier intervention.
But the decision to freeze assets without a legal order carries legal and reputational risk. Lorenzo Valente, director of digital asset research at ARK Invest, said each intervention becomes a judgment call balancing rule-of-law principles against immediate harm prevention, with no universally accepted standard.
Still, on-chain data shows attackers converted assets into stablecoins before bridging to Ethereum and routing portions through Tornado Cash, with Elliptic linking activity to suspected North Korean actors. Drift has since secured nearly $150 million in recovery funding, including $127.5 million from Tether, and plans a relaunch centered on USDT, shifting reliance away from Circle’s infrastructure.
