Investors sue Circle over $230M USDC transfers after Drift hack

Investors in the Drift Protocol filed a class action in federal court in Massachusetts alleging Circle Internet Financial failed to stop about $230 million in USDC from being moved through its Cross-Chain Transfer Protocol during a $280 million exploit on April 1. The suit was brought by Joshua McCollum on behalf of more than 100 investors.

The complaint asserts Circle had both the legal authority and the technical ability to block the transfers but did not act. The filing states, “Circle permitted this criminal use of its technology and services. These losses would not have occurred, or would have been substantially reduced, had the USDC issuer taken timely action.” Counsel for the plaintiffs is led by attorney Mira Gibb, and the suit seeks damages to be determined at trial.

Drift has described the April 1 breach as a “highly sophisticated operation.” According to the protocol, attackers spent months posing as a legitimate quantitative trading firm to gain trust, then introduced a malicious application that disabled withdrawal safety checks. The exploit also used durable nonce accounts that let attackers pre-sign transactions to be executed later. Security teams say it is among the largest attacks on the Solana network in recent years.

On-chain analysts reviewed the timeline and identified windows where Circle could have intervened. One analyst noted that roughly six hours passed during which more than $230 million in USDC moved across chains. A cryptography researcher observed that some stolen tokens remained in wallets for as long as three hours before further transfers, suggesting the attackers expected no immediate freeze.

Circle defended its policy on freezing wallets in a public statement. CEO Jeremy Allaire emphasized the company acts when required by law or at the direction of courts and law enforcement, adding that Circle follows the rule of law and cannot unilaterally decide which funds are legitimate. He also said he is working with U.S. officials on proposed legislation called the Clarity Act to provide legal protections for issuers that intervene in extreme cases.

The filing references prior wallet freezes by Circle and compares different issuer responses to hacks. In a separate instance, another stablecoin issuer froze several million tokens tied to a hacker address. Analyst James Seyffart argued that platforms with the ability to freeze tokens should do so in theft cases: “Either you’re a decentralized protocol and literally do not have the power to freeze, or you’re not, you should be freezing hacked funds.”

The case will proceed in Massachusetts federal court, where a judge and, if necessary, a jury will determine liability and the amount of damages.