Circle, the company behind the world’s second-largest stablecoin, allegedly sat idle while a hacker funneled more than $230 million in stolen USDC through its own cross-chain infrastructure. That’s the accusation from blockchain investigator ZachXBT, who says Circle had approximately six hours to intervene and chose not to.

The stolen funds originated from the Drift Protocol exploit on April 1, a $280-$285 million heist that now ranks among the largest in DeFi history. According to ZachXBT’s analysis, the attacker bridged the USDC from Solana to Ethereum using Circle’s Cross-Chain Transfer Protocol, or CCTP, spread across more than 100 individual transactions. That’s not exactly a subtle exit.

What happened at Drift Protocol

The attack itself was brutally efficient. Rather than exploiting a smart contract bug, the kind of vulnerability that dominates most DeFi postmortems, the hacker compromised Drift Protocol’s administrative permissions at the operational layer. Think of it less like picking a lock and more like stealing the building manager’s master key.

The entire exploit took roughly 12 minutes to execute. The attacker used pre-signed transactions facilitated by durable nonces, a technique that allowed them to queue up withdrawals in advance and fire them off in rapid succession. By the time anyone noticed, the vault was already empty.

The DRIFT token’s response was catastrophic. It plunged 98% from its all-time high of $2.65, trading in a range of $0.041 to $0.06 in the aftermath. For context, that’s like watching a stock go from blue chip to penny stock in the time it takes to eat lunch.

The total haul landed between $280 million and $285 million, making this one of the five largest DeFi exploits ever recorded. But the attack itself isn’t what has the crypto community most agitated. It’s what happened next, or rather, what didn’t.

Circle’s six-hour window

Here’s the thing about USDC that makes it fundamentally different from decentralized stablecoins: Circle has a kill switch. The company can freeze USDC in any wallet, at any time, for any reason. It’s a feature that exists precisely for situations like this one.

Since USDC’s inception, Circle has frozen approximately $110 million across various wallets, typically in response to law enforcement requests or sanctions compliance. The company has demonstrated, repeatedly, that it possesses both the technical capability and the willingness to act when circumstances demand it.

According to ZachXBT, the Drift Protocol exploit was publicly announced and widely discussed while the stolen funds were still being moved. The bridging activity occurred during normal business hours. Circle’s compliance team, in theory, had every opportunity to flag and freeze the transactions as they flowed through CCTP.

Instead, more than $230 million in stolen USDC crossed from Solana to Ethereum without interference. Over 100 separate transactions. Across roughly six hours. Circle, the entity with sole authority to stop this, apparently watched it happen.

What makes this particularly awkward for Circle is timing. ZachXBT and other observers have pointed out that just days before the Drift exploit, Circle had moved quickly to blacklist other wallets under circumstances that many in the industry considered questionable. The company demonstrated it could act fast when motivated. The Drift incident suggests that motivation is selectively applied.

Why this matters beyond one exploit

USDC isn’t some niche token. It processed $9.6 trillion in on-chain volume in February 2025 alone. It serves as foundational infrastructure across dozens of DeFi protocols, lending platforms, and trading venues. When the entity controlling that infrastructure fails to act during an active theft of this magnitude, the implications extend far beyond one bad day for Drift Protocol users.

The core tension is one that has haunted centralized stablecoins since their creation. USDC’s freezing capability is simultaneously its greatest regulatory selling point and its most controversial feature. Proponents argue it makes USDC safer because stolen funds can be recovered. Critics counter that it introduces a single point of failure, and worse, a single point of discretion.

The Drift incident lands squarely in the critics’ camp. If Circle freezes wallets at the request of governments but not during one of the largest thefts in DeFi history, the freeze function starts to look less like a safety mechanism and more like a compliance theater prop. In English: the power to help exists, but the willingness to deploy it appears inconsistent at best.

For institutional investors who have been warming to DeFi, this is a cold splash of reality. The assumption that centralized stablecoin issuers would act as a backstop during crises, that their control was a feature rather than a bug, now looks considerably less reliable. Risk models that treated USDC as quasi-insured may need revision.

Look, Circle hasn’t publicly detailed its reasoning for not intervening. There may be legal or procedural explanations that haven’t surfaced yet. Perhaps internal protocols require specific law enforcement requests before action can be taken, even during obvious thefts. But the optics are brutal, and in crypto, optics and confidence are functionally the same thing.

The broader regulatory conversation is likely to shift as well. Lawmakers working on stablecoin legislation in the US and abroad will inevitably point to this incident when debating oversight frameworks. If a company with $110 million in historical freezes and real-time visibility into its own protocol can’t or won’t stop $230 million from being stolen through its infrastructure, regulators will ask what exactly the compliance apparatus is designed to accomplish.

There’s also a competitive angle worth watching. Alternative stablecoin models, whether fully decentralized options like DAI or newer collateralized designs, may gain traction as users and protocols reassess their exposure to centralized issuer risk. The argument for decentralization has always been philosophical. Now it has a $230 million case study.

For Drift Protocol specifically, the road ahead is grim. A 98% token decline doesn’t just represent paper losses. It decimates the protocol’s treasury, its ability to compensate victims, and its capacity to attract developers or users going forward. Recovery from exploits of this scale is rare. Recovery from exploits where the stablecoin issuer could have helped but didn’t is essentially uncharted territory.

Bottom line

The Drift Protocol exploit was devastating on its own merits. But Circle’s apparent inaction during a six-hour window, while $230 million in stolen USDC flowed through its own bridge protocol, transforms this from a standard DeFi hack story into something more fundamental. It forces the entire industry to reckon with an uncomfortable question: if centralized stablecoin issuers won’t use their extraordinary powers during extraordinary thefts, what exactly are those powers for?