TLDR
- A proposed class action has been filed against Circle Internet Group in Massachusetts federal court.
- The lawsuit claims Circle allowed approximately $230M in USDC to be transferred following the Drift Protocol security breach on April 1.
- Drift Protocol lost around $280M total in the exploit, marking it among the most significant DeFi breaches of 2026.
- Attackers leveraged Circle’s Cross-Chain Transfer Protocol to bridge assets from Solana to Ethereum during an extended timeframe.
- Elliptic, a blockchain analytics company, has linked the attack to hackers operating under North Korean state sponsorship.
Circle Internet Group finds itself defending against serious allegations. The stablecoin issuer faces accusations in a proposed class action lawsuit filed this Wednesday in Massachusetts, with plaintiffs claiming the company allowed approximately $230 million in USDC to move through its systems after a major cryptocurrency theft.
Drift Protocol suffered the security breach on April 1, with attackers draining roughly $280 million from the decentralized finance platform. The complaint details how an extended time period passed during which Circle allegedly observed cross-blockchain fund movements without intervention.
Joshua McCollum, an investor in Drift, serves as lead plaintiff representing over 100 members in the legal action. The filing accuses Circle of negligence alongside charges of aiding and abetting unlawful conversion of the stolen assets.
Attackers utilized Circle’s proprietary Cross-Chain Transfer Protocol to transfer the stolen USDC between Solana and Ethereum networks. According to the complaint, Circle possessed both technical tools and contractual rights to freeze the relevant wallets during this transfer period.
“Circle permitted this criminal use of its technology and services,” McCollum’s legal team stated in court documents. “These losses would not have occurred, or would have been substantially reduced, had Circle taken timely action.”
The law firm Mira Gibb handles representation for McCollum and fellow investors. Final damages amounts await determination during trial proceedings.
The complaint references a telling comparison: approximately one week prior to the Drift breach, Circle froze 16 USDC wallets related to a sealed US civil matter. Plaintiffs contend this earlier action demonstrates Circle maintained both capability and willingness to intervene when circumstances warranted.
Circle’s Defense and ARK’s Take
Circle has maintained public silence regarding the litigation. Cointelegraph’s request for comment went unanswered.
ARK Invest’s director of research for digital assets, Lorenzo Valente, offered perspective supporting Circle’s stance. He contended that freezing assets absent legal authorization establishes problematic precedent, effectively granting private corporations unchecked authority over freeze decisions.
“Every future freeze is now a judgment call. Every non-freeze is a political statement,” Valente explained. He conceded, however, that the stolen assets would probably finance North Korea’s weapons development programs.
“Whether Circle got it right comes down to how much you weigh rule-of-law principles vs concrete harm,” he said.
What Happened to the Funds
Following the cross-chain bridge transfer, attackers converted the stolen USDC into Ether before routing proceeds through Tornado Cash, the privacy-focused protocol, to eliminate transaction traceability.
Blockchain intelligence firm Elliptic attributes the exploit to North Korean state-sponsored hacking groups. Elliptic’s analysis revealed attackers executed over 100 transactions through Circle’s bridging infrastructure during standard US business operating hours.
The Drift Protocol security breach eliminated a substantial portion of the platform’s total value locked, creating cascading effects throughout multiple DeFi ecosystems.
CRCL stock shifted 1.84% in response to the lawsuit announcement.
