Stay connected with BizTech Community—follow us on Instagram and Facebook for the latest news and reviews delivered straight to you.
For a long time, the decentralised finance (DeFi) ecosystem has followed a rigorous set of rules: code is law, and transactions can’t be changed. But when smart contracts break and nine-figure hacks happen, the victims always go to the centralised organisations that keep the infrastructure running. Circle, the company that issues the USD Coin (USDC) stablecoin, is now at the center of a major legal struggle over its duty of care during one of the biggest hacks of 2026.
A group of angry investors has filed a class-action lawsuit against Circle after the Solana-based trading platform Drift Protocol was hacked for $280 million on April 1. The plaintiffs say that the stablecoin issuer was grossly negligent because they had the technical power to freeze the stolen money yet did nothing while hundreds of millions of dollars were being laundered.
This lawsuit could change the legal duties of stablecoin issuers and bridging protocols, pushing the industry to deal with the unclear line between decentralised neutrality and centralised involvement. Circle’s legal exposure comes at a pivotal moment, as the company recently made headlines with its IPO, which many saw as a turning point for digital money.
The Drift Protocol Exploit on April 1
To get a sense of how serious the lawsuit is, you need to look at how big the theft was. Drift Protocol, a top decentralised exchange on the Solana network, was hit by a very advanced cyberattack that had been planned for six months on April 1, 2026. The hack cost users $280 million in assets, which is a huge loss.
The hack itself was aimed at Drift’s smart contracts, but Circle’s infrastructure was also important for the money laundering that followed.
Joshua McCollum, who represents a group of more than 100 impacted investors, filed a civil lawsuit on Thursday, April 16, in a Massachusetts district court. The complaint says that the attackers did not retain the money on Solana. Instead, they used Circle’s own Cross-Chain Transfer Protocol (CCTP) to move about $230 million of the stolen USDC from the Solana blockchain to the Ethereum network.
The main point of the case is the timeline of this bridging process. The plaintiffs say that the huge, very unusual movement of money happened over the course of several hours, right in the middle of normal US business hours. However, Circle did not take any emergency action or stop the assets in transit. Large-scale crypto theft via cross-chain bridges is not new — the Bybit $1.5 billion hack similarly exploited cross-chain vulnerabilities and shook the market.
Negligence and Help
The legal team representing the victims, the Mira Gibb law firm, has structured the class action around two primary allegations: gross negligence and aiding in the conversion of illicitly obtained assets.
The lawyers are not saying that Circle planned the breach; they are saying that Circle did not have enough oversight, which made it easier for the hackers to get away. The plaintiffs say that Circle gave the thieves an avenue to escape by not stopping the CCTP transfers. The complaint asks for unknown amounts of money to be paid to the stablecoin issuer for the loss of the bridged funds that may have been avoided.
For years, this case has been at the center of a philosophical and legal discussion in the crypto world. Circle and Tether are two companies that make fiat-backed stablecoins that may be used on public blockchains. These tokens are backed by real-world dollars in bank accounts, so the issuers keep administrative control at the smart-contract level. This gives them the right to “blacklist” certain wallet addresses and permanently freeze the tokens that are linked to those addresses. The broader question of who controls USDC has already been a hotly contested topic in the industry.
The problem is how to use this power. Stablecoin issuers have historically been reluctant to serve as the only enforcers of DeFi. Most of the time, they wait for police enforcement or the courts to issue official, legally enforceable orders before freezing a wallet. If the issuer freezes legitimate payments too soon or because of Twitter rumours, they could be held liable for a lot of money.
The legal team for the Drift victims, on the other hand, is pointing out a clear flaw in this defence. The lawsuit also points out that Circle was able to successfully participate in a different judicial case just a week before the Drift Protocol hack, freezing 16 other USDC wallets. The plaintiffs are citing this case as an example to say that Circle plainly had the technological and operational power to freeze the $230 million, but they chose not to act, which led to the loss of the Drift investors.
Tornado Cash, Ethereum, and North Korea
What happened right after the USDC got on the Ethereum network shows how important it is to freeze the cash right away.
Elliptic’s forensic blockchain investigation shows that the exploit has all the signs of a state-sponsored cyberattack from North Korea, probably by the well-known Lazarus Group. The attackers used Circle’s bridging technology to transport the money by making more than 100 separate transactions. The Lazarus Group’s involvement is consistent with their known pattern — they were also linked to the Bybit hack, and suspicion of their activity previously led OKX to temporarily shut down its DEX services.
Once the USDC was effectively bridged to Ethereum, the chance to intervene was gone. The hackers systematically traded the centralised USDC stablecoins for native Ether (ETH), which is a completely decentralised asset that no one can freeze or take.
After the conversion, the stolen ETH was quickly moved through Tornado Cash. Even though the US Treasury Department has put a lot of pressure on Tornado Cash, it is still the best decentralised privacy protocol. It uses cryptography to mix up transaction histories and cut off the on-chain link between the source and destination of cash. The digital trail was effectively obliterated by the time the assets left the Tornado Cash mixer, which meant that the Drift Protocol community lost $280 million. Security experts have long warned about this kind of irreversible loss — research shows that 80% of hacked crypto projects never fully recover.
Making a Dangerous Legal Precedent
Every major bitcoin infrastructure provider will be keeping a close eye on the outcome of the McCollum v. Circle lawsuit.
If the plaintiffs win in Massachusetts, it might set a terrible legal precedent. It would mean that centralised stablecoin issuers and cross-chain bridge operators have a fiduciary “duty of care” to keep an eye on, find, and stop suspicious transactions in real time, even if there isn’t a formal law enforcement order to do so.
If this verdict goes through, firms like Circle will have to set up huge, bank-like compliance and surveillance departments just to keep an eye on decentralised protocols. It would turn stablecoin issuers into the final judges of truth in DeFi, which goes against the basic ideas of permissionless finance. This tension between regulation and decentralisation is at the heart of ongoing debates, such as the CLARITY Act fight over onchain dollar yield and broader discussions about the future of DeFi.
On the other hand, if the court sides with Circle, it will confirm the harsh truth of self-custody and decentralised trading: when investors use open-source smart contracts, they are completely responsible for their own actions, and the infrastructure providers only provide the pipes, no matter what flows through them.
As the legal process gets underway, the crypto sector has to deal with a painful truth. The ecosystem needs decentralised networks to be fast and independent, but when a $280 million disaster happens, everyone wishes the centralised kill switches had been pulled. The case also adds urgency to questions around whether transparency measures like proof-of-reserves are truly enough to protect users in a crisis.
Read Also: Coinbase Launches First Crypto-Backed Home Loan in the U.S
