Circle Internet Group is facing a proposed class action lawsuit after investors accused the stablecoin issuer of failing to freeze $230 million in USDC that was transferred by attackers following the April 1 exploit of Drift Protocol, the largest decentralized perpetual futures exchange on Solana. The lawsuit, filed on April 14 in a U.S. district court in Massachusetts by lead plaintiff Joshua McCollum, alleges negligence and aiding unlawful conversion. The $285 million Drift hack is the largest DeFi exploit of 2026 and the second-largest in Solana's history.
How a Fake Token Drained $285 Million in 12 Minutes
The Drift exploit was not a standard smart contract bug. According to post-mortem reports from Drift Protocol, TRM Labs, and Elliptic, the attack was a six-month social engineering operation likely carried out by North Korean state-backed hackers linked to the group tracked as UNC4736 (Citrine Sleet), the same actors behind the 2024 Radiant Capital hack.
The attackers posed as a quantitative trading firm to build trust with Drift contributors over months. They created a fake token called CarbonVote Token (CVT) on March 11, seeded it with just $500 in liquidity, and wash-traded it to build a price history near $1. Using Solana's "durable nonces" feature, they tricked Drift Security Council multisig signers into pre-signing transactions that looked routine but carried hidden admin authorizations. On April 1, the attackers executed these pre-signed transactions, took control of Drift's governance, whitelisted CVT as collateral, and drained $285 million in real assets including USDC, SOL, JLP, and wrapped BTC in approximately 12 minutes.
Drift Protocol Lost $285M and It Had Nothing to Do With the Code
| Date | Event |
|---|---|
| Mar 11 | Attacker creates CarbonVote Token (CVT) on Solana, seeds $500 in Raydium liquidity |
| Mar 23–30 | Attacker creates durable nonce accounts, tricks multisig signers into pre-signing admin transactions |
| Mar 27 | Drift migrates Security Council to 2/5 threshold with zero timelock |
| Apr 1 | Exploit executes: $285M drained from Drift vaults in approximately 12 minutes |
| Apr 1–2 | Attacker bridges ~$230M USDC from Solana to Ethereum via Circle CCTP over 8 hours, 100+ transactions |
| Apr 5 | Drift links attack to DPRK-affiliated group UNC4736 (Citrine Sleet) |
| Apr 14 | Gibbs Mura files class action lawsuit against Circle in Massachusetts district court |
| Apr 16 | Tether commits $127.5M to Drift recovery; Drift announces switch from USDC to USDT |
Eight Hours, 100+ Transactions, No Freeze
The lawsuit centers on what happened after the exploit. Attackers swapped the stolen assets into USDC through Solana-based DEX aggregators and then bridged roughly $230 million from Solana to Ethereum using Circle's own Cross-Chain Transfer Protocol (CCTP). The bridging process took approximately eight hours and involved over 100 transactions, all executed during U.S. business hours. On-chain investigator ZachXBT publicly flagged the transfers, noting that stolen USDC was moving through Circle's infrastructure in real time without any intervention.
Once on Ethereum, the attackers converted the stolen USDC into Ether and routed portions through Tornado Cash to obscure the trail. Elliptic confirmed that the on-chain behavior and laundering methods were consistent with previously attributed DPRK operations.
The Legal Argument: Circle Could Have Acted, Chose Not To
The complaint, filed by law firm Gibbs Mura, alleges Circle had both the technical capability and contractual authority to blacklist the attacker's addresses and freeze the stolen USDC. Plaintiffs point to a specific precedent: roughly one week before the Drift exploit, Circle froze 16 USDC wallets in connection with a sealed U.S. civil case. That action, the lawsuit argues, proves Circle's ability to intervene when it chooses to do so.
"Circle permitted this criminal use of its technology and services," attorneys wrote in the filing. "The losses would not have occurred, or would have been substantially reduced, had Circle taken timely action." The complaint also references what it describes as over $420 million in alleged compliance failures across previous breaches where Circle allowed unfettered use of its stablecoin and bridge services.
Circle has not publicly commented on the lawsuit. CRCL stock fell 1.42% in after-market hours following the news, after having rallied over 22% earlier in the week.
The Counterargument: Freezing Without a Court Order Is a Dangerous Precedent
Not everyone agrees Circle should have intervened. ARK Invest's director of research for digital assets, Lorenzo Valente, argued that freezing funds without a legal order would set a dangerous precedent. "Every future freeze is now a judgment call. Every non-freeze is a political statement," he wrote. He acknowledged, however, that the stolen funds would likely end up funding North Korea's weapons program.
Circle CEO Jeremy Allaire has previously stated that the company only freezes USDC at the direction of formal law enforcement or court orders. The Drift case now puts that policy under direct legal scrutiny. The outcome could set a precedent for whether crypto infrastructure companies that have the technical ability to act are legally liable when they choose not to.
Tether Steps In: $127.5M Recovery and a Settlement Layer Shift
While the lawsuit targets Circle, its rival Tether moved quickly to support Drift's recovery. On April 16, Tether committed $127.5 million as part of a nearly $150 million recovery package that also includes support from the Solana Foundation. The capital will fund user compensation, market maker liquidity, and ecosystem grants.
As a condition of the recovery deal, Drift will switch its core settlement layer from USDC to USDT upon relaunch. A recovery token will be issued to affected users, representing claims on a pool funded by trading fees and the newly raised capital. Tether CEO Paolo Ardoino said the focus is on restoring user confidence and aligning recovery with long-term protocol activity. The DRIFT token rose 20% to above $0.061 following the announcement, its highest level since the day of the exploit.
A Test Case for Stablecoin Liability
The Circle lawsuit raises a question the crypto industry has avoided answering directly: when a stablecoin issuer has the technical power to freeze funds during an active breach, is inaction a defensible policy or a failure of duty? The court's ruling could reshape how USDC, USDT, and other centralized stablecoins operate during security incidents, with implications that extend well beyond a single exploit on Solana.
