- Lawsuit filed: Class action initiated on April 14, 2026, by Drift investor Joshua McCollum on behalf of over 100 affected users in U.S. District Court for Massachusetts.
- Exploit details: On April 1, 2026, attackers drained an estimated $280–285 million from the Solana-based DEX Drift Protocol through trading, lending, and vault deposits.
- USDC movement: Approximately $230 million in stolen USDC was transferred from Solana to Ethereum via Circle’s Cross-Chain Transfer Protocol (CCTP) across more than 100 transactions over six hours.
- Key allegations: Plaintiffs claim Circle failed to freeze the funds despite having the technical ability, contractual authority, and recent precedent of freezing 16 unrelated wallets nine days earlier in a separate civil matter.
- Broader implications: The suit accuses Circle of negligence and aiding conversion, spotlighting stablecoin issuer responsibilities as U.S. lawmakers consider the CLARITY Act.
Stablecoin issuer Circle Internet Financial is confronting a class-action lawsuit from investors in the Solana-based decentralized exchange Drift Protocol, who allege the company negligently allowed stolen funds to move freely following one of the year’s largest exploits.
The complaint, filed on April 14, 2026, in Massachusetts federal court by lead plaintiff Joshua McCollum and represented by Gibbs Mura, A Law Group, claims Circle failed to intervene as attackers transferred roughly $230 million in USDC from Solana to Ethereum using the company’s own Cross-Chain Transfer Protocol (CCTP). The transfers occurred across more than 100 transactions spanning approximately six hours after the April 1 exploit that drained an estimated $280–285 million from Drift’s trading, lending, and vault pools.
Plaintiffs argue Circle possessed both the technical capability and operational precedent to freeze the assets. Just nine days before the hack, on March 23, the issuer had frozen 16 unrelated business wallets in connection with a separate civil matter, demonstrating its ability to act swiftly when it chose to do so. The lawsuit accuses Circle of negligence and aiding and abetting conversion, seeking damages to be determined at trial.
In an earlier public statement responding to criticism over the incident, Circle clarified its freeze policy: it acts only when directed by law enforcement and has urged Congress to pass the GENIUS and CLARITY Acts to establish a clearer legal framework for stablecoin operations. The firm has not yet issued a direct response to the filing.
The case underscores ongoing tensions in decentralized finance around stablecoin issuers’ roles in security incidents. While Circle maintains it operates under strict legal constraints, critics point to the six-hour window during which the stolen USDC moved unchallenged as evidence of insufficient monitoring or response protocols. The exploit itself was described by Drift as a targeted social-engineering attack.
Industry observers note that the outcome could influence how other stablecoin providers handle similar events and may accelerate regulatory discussions around mandatory freeze mechanisms and issuer liability. The lawsuit remains in its early stages, with no court rulings issued as of April 17.
Disclaimer: This article is for informational purposes only and does not constitute advice of any kind. Readers should conduct their own research before making any decisions.
© Cryptopress. For informational purposes only, not offered as advice of any kind.
