Circle CEO Jeremy Allaire publicly defended his company's decision not to freeze USDC following the April 1 hack of Drift Protocol, the largest decentralized perpetual futures exchange on Solana, which lost approximately $285 million in user assets. Speaking after the incident, Allaire described the situation as a "moral quandary" but maintained that Circle carries a "very clear performance obligation" to act only when authorized by law, not at its own discretion. The statement came after blockchain investigator ZachXBT and others pointed out that Circle had roughly six hours to act while the attacker moved stolen funds through Circle's own infrastructure.

What Happened

The Drift exploit unfolded in approximately 12 minutes on April 1, making it the second-largest hack in Solana's history behind the $326 million Wormhole bridge exploit in 2022. Security firms TRM Labs and Elliptic have attributed the attack with high confidence to North Korean state-sponsored hackers, specifically the Lazarus Group, in what analysts describe as the 18th reported North Korean crypto theft of 2026 so far. The attack combined social engineering of multisig key holders, oracle price manipulation, and a governance exploit rather than a conventional smart contract vulnerability.

About $60.4 million in USDC was taken directly from Drift during the attack. The attacker then converted additional stolen assets into USDC and used Circle's Cross-Chain Transfer Protocol (CCTP) to bridge approximately $230 to $232 million from Solana to Ethereum across more than 100 separate transactions over roughly six hours. Circle did not freeze any of those funds during that window. CCTP is Circle's own interoperability product, built and actively marketed by the company as secure cross-chain infrastructure, which sharpens the significance of the non-intervention: the stolen funds traveled through a bridge Circle itself created and promotes.

Blockchain security researcher Taylor Monahan has separately found that North Korean IT operatives embedded themselves inside more than 40 DeFi platforms, in some cases contributing to the design of protocols that were later targeted. That pattern of sustained infiltration adds context to how attacks of this sophistication are organized and executed.

Circle's Legal Argument

Circle's position rests on a narrow freeze policy. The company will blacklist USDC addresses and freeze funds under two conditions only: a valid legal order from a recognized U.S. or French authority, or a Circle determination that inaction would threaten its network security or integrity. The GENIUS Act, signed into law on July 18, 2025, requires stablecoin issuers to have the technical capability to freeze funds when legally ordered to do so. Crucially, the law does not authorize issuers to act unilaterally without such an order.

Circle Chief Strategy Officer Dante Disparte made the case directly in an April 10 company blog post titled "When Open Systems Are Tested: Accountability, Rule of Law, and the Work Ahead." "This is not a backdoor. It is not algorithmic surveillance. It is what the rule of law looks like in the context of internet-native financial activity," Disparte wrote. That argument may hold on its legal merits, but it does little to address the speed problem: court orders typically take days or weeks to secure, while the entire $232 million moved in six hours.

The timing controversy is sharpened by a prior incident. Just nine days before the Drift exploit, on March 23, Circle froze USDC across 16 business wallets simultaneously after a private law firm obtained a sealed U.S. civil court order in the Southern District of New York. That freeze sparked debate, with observers noting how rapidly Circle's freeze authority can be engaged through formal legal channels, a contrast that critics found difficult to ignore in the wake of the Drift exploit.

Industry Response and the Legal Gap

ZachXBT was direct in his criticism, writing that Circle was "sleeping while more than 100 transactions were happening, even though it was three hours after the hack," and questioning why crypto projects continue to build on Circle when a protocol with substantial locked value received no support during a major incident.

Industry attorneys have identified a structural gap that the Drift case makes difficult to ignore. Salman Banei, General Counsel at Plume Network, argued that "freezing assets without formal authorization could expose issuers to liability" and called on Congress to establish a safe harbor from civil liability for digital asset issuers that freeze funds based on a reasonable judgment that illicit transfers are occurring.

Ben Levit, CEO of stablecoin ratings agency Bluechip, identified the core tension in Circle's positioning. "USDC can't simultaneously be positioned as neutral infrastructure and reserve the right to discretionary intervention," Levit said. He also noted that the market and oracle nature of the Drift attack placed it in a gray zone: "any action by Circle becomes a judgment call, not just a compliance decision." On the market side, Levit added, "markets can handle strict policies or no intervention, but ambiguity is much harder to price."

What This Means for Users Outside the US

The GENIUS Act's freeze mandate is primarily relevant to legal proceedings in the U.S. or France. For USDC users in South Asia and Sub-Saharan Africa, that framework offers limited practical protection. According to CryptoNewsNavigator's coverage of the Chainalysis 2026 global crypto adoption index, India ranked first globally, with roughly 5.7 million wallet addresses interacting with USDC in 2024 alone, many of them using it as a dollar-denominated savings and settlement layer. Sub-Saharan Africa saw stablecoin transaction volumes grow over 180% year-over-year, with Nigeria, Kenya, and South Africa together accounting for approximately 12% of global USDC peer-to-peer usage.

Circle's current policy means that obtaining a qualifying legal order is essentially out of reach for projects and users based outside the U.S. and France, regardless of how clear the theft or how fast they act. Circle has been expanding aggressively in Africa through a partnership with Sasai Fintech, a business within Cassava Technologies founded by Strive Masiyiwa, who has framed the collaboration around goals of financial inclusion and transformative economic opportunity for the continent. That narrative sits uneasily alongside the limits of Circle's stated freeze policy when facing a confirmed state-sponsored theft routed through its own bridge protocol.

What Comes Next

USDC is widely considered the second-largest stablecoin by circulating supply, at approximately $75 to $78 billion as of April 2026, up roughly 72% year-over-year. Its 2025 transaction volume reached $18.3 trillion, representing about 55% of the stablecoin market. Those numbers reflect deep integration into global financial flows, which makes the governance question more urgent, not less. Circle has called on Congress to finalize implementing regulations under the already-enacted GENIUS Act and to pass the forthcoming CLARITY Act, both steps the company says are needed to resolve ambiguities around issuer liability. Whether that legislative path moves fast enough to matter in the next exploit is another question entirely.