Summary:

Circle is facing a class action lawsuit over its handling of the $280 million Drift Protocol exploit.
Plaintiffs claim Circle failed to freeze stolen USDC despite having the ability to act.
Around $230 million was bridged from Solana to Ethereum during the attack.
The case raises deeper questions about responsibility and control in crypto infrastructure.

The fallout from the $280 million Drift Protocol hack is now moving into the courtroom. Circle Internet Group, the issuer of USDC, is facing a class action lawsuit that could set an important precedent for crypto infrastructure providers to be held accountable during exploits. The lawsuit was filed by Drift investor Joshua McCollum in a U.S. district court in Massachusetts, representing more than 100 affected users. At its core, the complaint argues that Circle failed to act during a critical window when stolen funds were actively being moved across chains.

According to the filing, attackers transferred roughly $230 million in USDC from Solana to Ethereum using Circle's Cross-Chain Transfer Protocol over several hours. The plaintiffs claim that this activity happened in plain sight, without any intervention from Circle, despite the company having both visibility and technical control over the process. The lawsuit accuses Circle of aiding and abetting conversion, along with negligence. It claims the company had the tools to freeze or restrict the movement of funds but chose not to act. The complaint states:

"For hours, Circle knowingly permitted the Attackers use of its technology and services, despite its ability to freeze the assets and stop the exodus into Ether. As one prominent crypto commentator put it, "Circle was asleep while many millions of USDC was swapped ... for hours, from the 9-figure Drift hack during U.S. hours."

It goes further, framing the situation as a failure to meet legal responsibility:

"By law, Circle was not free to look the other way while knowing it was enabling this misappropriation. But even though Circle saw what was happening and could have taken action to protect investors, it chose to do nothing. "

The case is being led by the law firm Mira Gibb, with damages yet to be determined. For affected users, the lawsuit represents one of the few remaining paths to potential recovery after the exploit.

The Timeline That Sparked the Dispute

To understand why the case has drawn attention, it helps to look at how the exploit unfolded. The Drift attack did not happen in a single transaction. Instead, the funds were moved gradually, over hours, through more than 100 transactions. Attackers used Circle's native bridging system to move USDC from the Solana network to Ethereum. Once on Ethereum, the funds were converted into Ether and then routed through Tornado Cash, a privacy tool designed to obscure transaction history. This sequence made recovery significantly harder. Once funds pass through mixing services, tracing becomes more complex and enforcement options narrow.

The plaintiffs argue that Circle had a clear window to intervene before the funds were fully laundered. They also point to a recent example where Circle froze 16 USDC wallets in an unrelated civil case just days before the Drift exploit. That comparison is central to the argument. If Circle demonstrated the ability to freeze assets in one situation, the question becomes why it did not act in another. From Circle's perspective, situations like these are rarely straightforward. Freezing assets often requires legal authority or clear regulatory justification. Acting too quickly without that backing can create its own legal risks. But for users watching funds move in real time, that distinction may not carry much weight. Adding another layer, blockchain analytics firm Elliptic suggested that the exploit may be linked to North Korean state-backed actors. If accurate, that would place the incident within a broader pattern of sophisticated, state-linked crypto attacks. The attackers' ability to execute over 100 transactions during U.S. working hours, without interruption, is now one of the central points of contention in the case.

A Bigger Question Around Control and Responsibility

On paper, many crypto systems are designed to be decentralized. But in practice, certain players still hold significant control. Stablecoin issuers like Circle can freeze assets. Bridge operators can monitor flows. Exchanges can block accounts. These controls exist, but how and when they are used remains inconsistent. That creates a grey area. When companies have the power to intervene, expectations rise. Users begin to assume that intervention will happen during crises. But companies often operate within legal and regulatory constraints that limit their ability to act immediately.

The Drift case brings that tension into focus. Plaintiffs argue that Circle's inaction contributed to their losses. Circle, if it responds publicly or in court, is likely to point to the complexities of acting without clear legal authority in real time. At the same time, the industry is watching closely. A ruling against Circle could reshape expectations for stablecoin issuers and other infrastructure providers. It could push companies toward faster intervention during exploits, or force clearer policies around when and how assets can be frozen. There is also a trust angle and also about centralized components that behave under pressure.

Closing Thoughts

For now, the case is just beginning. It will take time before any conclusions are reached. But even at this early stage, it highlights a shift. Crypto is moving into a phase where technical design, legal responsibility, and user expectations are starting to collide in more visible ways and when that happens, the outcome tends to reach far beyond a single platform or incident.