Circle Internet Financial is facing a federal class action lawsuit after $230 million in stolen USDC moved unblocked through its own blockchain infrastructure for up to eight hours following the April 1 Drift Protocol exploit, the largest DeFi hack of 2026.
The lawsuit and what it alleges
Law firm Gibbs Mura, A Law Group filed the complaint in a Massachusetts district court on behalf of investor Joshua McCollum and more than 100 other Drift depositors who lost funds in the exploit. The suit names Circle as a defendant and accuses it of aiding and abetting conversion and negligence.
According to the filing, attackers drained roughly $280–$285 million from Drift in under 12 minutes, converted the bulk of the stolen assets into USDC, then used Circle’s Cross-Chain Transfer Protocol (CCTP) to bridge approximately $230 million from Solana to Ethereum across more than 100 transactions. That transfer happened during regular US business hours, giving Circle a window of six to eight hours to intervene.
Plaintiffs argue Circle had both the technical means and the contractual authority to freeze the funds and did neither. Critically, just nine days before the Drift exploit, Circle had frozen 16 commercial wallets in a separate civil dispute, a fact the lawsuit uses directly to establish operational precedent.
Your completely free resource hub designed to boost your knowledge of cryptocurrencies
Inside the $285 million Drift exploit
The April 1 attack was the culmination of a six-month social engineering campaign attributed with medium-high confidence to UNC4736, a North Korean state-sponsored group also tracked as Citrine Sleet and AppleJeus by security firms Elliptic and TRM Labs.
Starting in fall 2025, operatives posing as a quantitative trading firm approached Drift contributors at major crypto conferences across multiple countries, deposited over $1 million of their own funds into a Drift Ecosystem Vault to build credibility, and held detailed product discussions with team members over several months. They then compromised devices through two likely vectors: a malicious code repository and a fake wallet app distributed via Apple’s TestFlight platform.
Between March 23 and 30, the attackers used a legitimate Solana feature called durable nonces, which allow transactions to be pre-signed and held for later execution, to trick Drift’s Security Council members into unknowingly pre-approving admin transfers. On March 27, Drift further weakened its own defences by migrating to a new multisig configuration and removing its timelock entirely, eliminating the delay window that could have allowed detection.
On April 1, the attackers triggered those pre-signed transactions, listed a fabricated token called CarbonVote (CVT), which they had artificially priced near $1 through wash trading, as legitimate collateral, and borrowed hundreds of millions in real assets against it.
Circle’s position and the freeze debate
Circle stayed silent for weeks before its Chief Strategy Officer Dante Disparte published a blog post framing the company’s freeze capability as a compliance obligation rather than a discretionary power. CEO Jeremy Allaire reinforced the position at a press conference in Seoul, stating the company freezes USDC wallets only when directed by law enforcement or courts, not in real time during hacks.
Blockchain investigator ZachXBT was first to highlight the inaction publicly, posting on X that Circle had roughly six hours to intervene as stolen funds moved through CCTP and took no action. In a subsequent report he called “The Circle USDC Files,” he alleged more than $420 million in compliance failures across more than a dozen incidents since 2022, including the GMX exchange breach and the Cetus DEX theft, where USDC remained unfrozen until the funds had already been swapped out.
Tether moves in as Drift dumps USDC
On April 16, Tether announced it was leading a recovery plan for Drift Protocol, committing up to $127.5 million as part of a broader $147.5 million package alongside other partners. As a condition of the deal, Drift will switch its core settlement asset from USDC to USDT upon relaunch, a significant market shift given that USDC holds a $8.1 billion market cap on Solana compared to USDT’s $3.05 billion, per DeFiLlama.
The recovery plan will not directly reimburse users. Instead, exchange revenue and outside capital will flow into a recovery pool distributed over time, with a planned token representing user claims. DeFiLlama co-founder 0xngmi noted on X the structure looks “closer to a plan where users recover their hacked amounts by trading on Drift.”
Meanwhile, the class action against Circle is at an early stage, but discovery could surface internal communications from the critical April 1 window, giving plaintiffs a direct look at what Circle knew and when it decided not to act.
