Circle under fire as $230M in stolen USDC flows unblocked days after freezing legitimate accounts
Stablecoin issuer Circle is going through mounting scrutiny from blockchain researchers after tens of millions of USD Coin (USDC) have been stolen and flowed unimpeded by its proprietary bridge in the course of the $285 million exploit of the Solana-based Drift Protocol.
The inaction in the course of the April 1 assault, which is now the biggest decentralized finance (DeFi) hack of 2026, stands in stark distinction to Circle’s aggressive asset freeze tied to a sealed US civil case simply days prior.
This juxtaposition has reignited debate over the duties and inconsistencies of centralized stablecoin issuers working inside permissionless markets.
According to on-chain investigator ZachXBT, the attackers bridged greater than $230 million in USDC from Solana to Ethereum throughout over 100 transactions utilizing Circle’s Cross-Chain Transfer Protocol (CCTP).
Why this issues: The episode highlights a structural rigidity in crypto markets: stablecoins like USDC function inside permissionless techniques however retain centralized management. When that management is utilized inconsistently, it raises new dangers for customers, protocols, and regulators making an attempt to know the place intervention will, or won’t, happen throughout a disaster.
The transfers occurred over a number of hours in the course of the US enterprise day, giving the New York-headquartered issuer ample time to intervene.
This view was corroborated by different safety specialists, who famous that the attacker held stolen USDC throughout a number of wallets for one to 3 hours earlier than bridging to Ethereum.
The hacker notably prevented changing the funds to Tether’s USDT, suggesting a calculated guess that Circle wouldn’t deploy its smart-contract blacklist authority.
That guess paid off as a result of USDT is the biggest stablecoin by market capitalization, and its issuer is renowned for blacklisting malicious attackers utilizing its asset to shift funds.
The civil distinction
The timing of the exploit has intensified the backlash. On March 23, Circle froze the USDC balances of 16 unrelated company sizzling wallets and disrupted legitimate exchanges, casinos, and cost processors in response to a civil dispute.
ZachXBT beforehand characterized that motion as “probably the only most incompetent” freeze he had witnessed in 5 years.
Critics at the moment are asking a elementary query: If Circle claims the authority to freeze property to implement compliance, why does it apply that energy aggressively in opposition to legitimate companies whereas ignoring a confirmed, nine-figure heist transiting its personal infrastructure?
However, Santisa, the pseudonymous CIO of funding agency Lucidity Cap, argued the other. He stated:
“Circle not blacklisting is definitely fairly cypherpunk of them, irrespective of the explanation. The business pushing for lively blacklisting places us ever additional away from decentralisation — not essentially a nasty factor! Just a trade-off.”
To date, Circle has blacklisted roughly $117 million throughout 601 wallets, in keeping with Dune Analytics data, exhibiting that the aptitude exists.
Anatomy of the Drift exploit
The assault on Drift, beforehand the cornerstone of Solana’s DeFi ecosystem with over $550 million in Total Value Locked (TVL), was a extremely subtle, weeks-long operation.
According to Drift Protocol’s post-mortem, the attackers compromised the protocol’s Security Council.
On March 30, they exploited a mechanism identified as a “Durable Nonce” to quietly achieve vital multisig approvals.
The sturdy nonce is a software designed to maintain unconfirmed transactions legitimate indefinitely for offline approvals. Yu Xian, the founding father of blockchain safety agency Slowmist, said:
“Another encounter with the sturdy nonce offline pre-signature mechanism exploit. This phishing approach has been prevalent for no less than 2 years. Once such a signature is phished away, the attacker can provoke “legally signed” on-chain operations at a future opportune second—as an example, in the Drift state of affairs, it resulted in the takeover of its on-chain admin privileges.”
On April 1, the attackers shifted admin authority, initialized a faux asset referred to as CVT, artificially inflated its worth through oracle manipulation, and borrowed in opposition to the false collateral.
In quick order, they drained the JLP Delta Neutral, SOL Super Staking, and BTC Super Staking vaults. DefiLlama knowledge exhibits Drift’s TVL collapsed to under $250 million following the assault.
The fallout has unfold quickly throughout the Solana DeFi ecosystem, contemplating Drift’s distinguished position.
According to stories, no less than 20 third-party functions that relied on Drift’s vaults to generate yield have confirmed monetary impression, together with Prime Numbers Fi, which estimates losses exceeding $10 million.
Who is behind the assault?
While the identification of the attackers stays unknown as of press time, Drift stated on X that it had recognized crucial details about the events concerned in the exploit.
Meanwhile, safety specialists have famous that the subtle laundering methodology factors to a well-known adversary of North Korean attackers.
Blockchain intelligence agency Elliptic reported that the on-chain habits and network-level indicators align with operations carried out by the Democratic People’s Republic of Korea (DPRK).
Another blockchain safety agency, Diverg, additional stated:
“We can affirm together with TRM Labs and Elliptic that North Korea’s Lazarus Group (TraderTraitor) [was behind the Drift attac]. [The] identical unit [was] behind Bybit’s $1.5 billion hack [and] Ronin’s $625 million assault.”
If confirmed, the Drift exploit would mark the eighteenth DPRK-linked crypto theft this 12 months, pushing the regime’s 2026 illicit haul previous $300 million.
It arrives amid an escalation in state-sponsored attacks targeting crypto infrastructure, together with a current software program provide chain compromise attributed by Google to the North Korean risk actor UNC1069.
The publish Circle under fire as $230M in stolen USDC flows unblocked days after freezing legitimate accounts appeared first on CryptoSlate.
