285M Gone! Circle Won't Freeze, Hackers Laugh and Escape
Hackers transferred $232 million USDC from Solana to Ethereum, while Circle watched helplessly.
It's not that they can't freeze — it's that they won't.
Freeze, and they might be sued into bankruptcy.
Don't freeze, and they'll be called accomplices.
So, guess which path Circle chose?
A $285 million question
Early Wednesday morning, the Drift protocol was hacked.
$285 million disappeared in seconds.
But what really sent chills down my spine wasn't how powerful the hackers were.
It was — Circle clearly has the ability to freeze this money, but chose not to.
You read that right.
$232 million USDC, bridged from Solana to Ethereum via Circle's own cross-chain protocol CCTP, boldly transferred.
All transparent, all traceable, all... unblocked.
The hackers probably were stunned: Is that all?
Here's what happened: It's not a technical issue, it's a legal issue.
Let's briefly go over what happened:
- The attacker exploited a vulnerability in Drift (a market/oracle layer issue, not a pure code bug)
- Stole about $71 million USDC, then swapped most of the stolen funds into USDC
- Used Circle's CCTP to move $232 million USDC from Solana to Ethereum
- The entire process was as smooth as transferring between your own bank accounts
At this point, on-chain detective ZachXBT couldn't stay silent. This crypto Sherlock directly blasted:
"Why are we still building on Circle? A project with nine-figure TVL got hacked, and you just watch?"
In plain language: I build a house at your place, thieves come, you have surveillance, security, locks — everything — but you do nothing. Why should I live in your house?
Circle isn't unable to freeze — they're just afraid to.
Many people don't realize that USDC is a centralized stablecoin.
Circle holds a nuclear button — the blacklist feature. As long as they want, they can freeze any USDC in any address into worthless paper.
So why didn't they freeze this time?
Because of legal reasons.
Circle's response:
We are a compliant company. Without a court order or law enforcement request, we cannot freeze. This is the rule of law, and it protects user privacy.
Sounds reasonable, right? Such rule of law.
But Plume's chief legal counsel added: He's right. If Circle freezes without authorization, and if they freeze the wrong address, hackers could sue Circle, and Circle would pay the price.
This is the current surreal reality:
You want Circle to save you? First, get a court subpoena.
How long does that take? Days to weeks.
How fast do hackers transfer funds? Minutes.
Law responds in days; hackers operate in seconds.
You attack with a weapon measured in seconds, but expect to defend with a shield measured in days — that’s not defense, that’s prayer.
It's not that they don't want to freeze — it's that they can't. It's not that they can't freeze — it's that the law doesn't give them the guts.
USDC wants to be a global currency, but even bad actors aren't being blocked.
Decentralized protocols get hacked, centralized issuers play dead.
Circle doesn't owe you justice; they only owe a paper from the court.
You say Circle is an accomplice? The law says you're just keyboard warriors.
Deep contradiction: What exactly is USDC?
What’s truly troubling isn't Circle's inaction.
It's that none of us have fully thought through one question: What exactly is USDC?
- If you say it's neutral infrastructure, then it shouldn't intervene proactively, even if it sees a hacker.
- If you say it's a regulated financial instrument, then there should be clear rules: when to freeze, when not to freeze, who makes the call.
But now?
It's ambiguous.
Bluechip founder Ben Levit said a blunt truth:
This isn't just a pure hacker attack; it's more like a market/oracle exploitation event, a gray area. So any action by Circle becomes a judgment call, not a compliance decision.
Translation: Even Circle itself doesn't know whether to freeze or not.
Because no one has told them the standard.
Why does this matter to you and me?
Because our money might also be floating in this gray area.
Today you're mining in DeFi, tomorrow the protocol gets hacked, and USDC gets transferred away.
Do you expect Circle to step in?
Sorry, they first need a court subpoena.
And if you go to law enforcement?
By the time you get a court order, hackers will have already moved $232 million via CCTP to ten different chains, swapped into ten different tokens, and washed it cleaner than your wallet.
This is the reality:
- Hackers operate in seconds
- Laws respond in weeks
- Circle dares not act
Who’s right or wrong? Actually, both are wrong, and both are right.
ZachXBT criticizes Circle — he has a point — why not use the tools you have?
Circle's inaction makes sense — they don't want legal trouble.
Regulators stay silent — even more reasonable — no lives lost yet.
But who ultimately suffers?
The users who locked their funds in Drift. The ordinary people who believe in stablecoins + DeFi = the future.
You think technology protects you?
No, it's the law that protects you.
But the law is too slow.
You think Circle protects you?
No, Circle protects Circle.
A question no one wants to answer:
This article isn't about criticizing Circle.
Nor about whitewashing Circle.
It's about asking a question everyone avoids:
In a crypto world without global unified rules, instant enforcement, or clear responsibility boundaries, why should we trust centralized stablecoins to protect us?
The answer might be: We shouldn't trust them.
All we can do are three things:
1. Face reality: USDC isn't a charity; it's a regulated, compliant enterprise.
2. Diversify risk: Don't put all your stablecoin assets in one basket.
3. Watch for rule changes: Only when legislation grants Circle safe harbor will they truly act.
Until then —
Don't blame Circle for not saving you.
They don't even dare to save themselves.
