Last week’s massive exploit of Solana-based perpetuals exchange Drift is still sending shockwaves throughout the crypto industry.

The April 1 attack appears to have been a months-long social engineering and infiltration campaign, likely involving fake counterparties, compromised contributor devices, and frozen protocol functions.

But beyond the sophistication of the attack, many within the crypto industry were also taken aback by the complete absence of intervention from USDC issuer Circle to limit downstream damage.

Today, we’re unpacking the attack, exploring the responsibilities (and potential liabilities) of Circle to act as issuer of USDC 👇

Beginning sometime in fall 2025, the Drift attackers (likely associated with North Korea) posed as a legitimate quantitative trading firm. The group approached Drift contributors at crypto conferences around the world, built trusted relationships over time, and gradually embedded themselves within the ecosystem – going as far as depositing over $1M of their own capital to reinforce credibility.

Drift contributors began working closely with the attackers, and that misplaced trust ultimately granted the exploiters access to Drift’s systems. Using social engineering, the attackers induced Drift’s Security Council to pre-sign transactions that carried hidden authorizations for critical admin actions, and on April 1, those pre-signed transactions were finally deployed.

The attackers listed a fake token as valid collateral on Drift, raised withdrawal limits to extreme levels, and deposited hundreds of millions of the fake token before draining real assets from Drift, including USDC.

Over the course of multiple hours following the exploit – and amid public cries for intervention – the attackers went on to successfully bridge hundreds of millions of dollars worth of stolen Drift funds through Circle’s Cross-Chain Transfer Protocol (CCTP).

While the utilization of CCTP highlighted the benefits of this transfer protocol when it comes to moving large sums of money fast at minimal cost, it also exposed a critical tension: these same features enabled attackers to rapidly move stolen funds with no apparent resistance.

The result was a wave of frustration across the crypto industry, and in the aftermath, criticism of Circle intensified as industry participants raised new questions about the robustness of Circle's compliance infrastructure.

Fueling that backlash, onchain investigator ZachXBT published The Circle USDC Files, alleging more than $420M in compliance failures since 2022 and highlighting fifteen instances where enforcement actions were minimal or absent.

From an outside perspective, it certainly seems like Circle had ample time to respond to the Drift exploit. Instead, public warnings went unheeded, and the attackers were able to route stolen funds through USDC rails for hours, entirely unencumbered.

This expansive window of opportunity to act suggests that intervention wasn’t impossible, and has spawned an emerging liability debate in the attack’s wake.

Circle is registered with FinCEN as a Money Services Business in the United States, meaning it has adopted an anti-money laundering program. Still, any controls the stablecoin issuer has put in place were entirely ineffective in preventing these malicious transfers.

By failing to act in a timely manner to prevent unauthorized transactions, there is a potential argument to be made that Circle was grossly negligent in its duties and materially breached its obligations as a registered Money Services Business.

That argument has already been advanced by California-based class action firm Gibbs Mura, whose attorneys are “reviewing potential claims against Circle Internet Financial for its alleged failure to act despite having the technical capability, contractual authority, and operational precedent to intervene.”

Under the GENIUS Act – a stablecoin regulation bill enacted by President Trump in July 2025 that will go into effect in January 2027 – ambiguity narrows considerably, and stablecoin issuers like Circle will have clear obligations to act in the face of unauthorized or illicit transactions.

The GENIUS Act will treat stablecoin issuers as financial institutions under the Bank Secrecy Act, requiring them to maintain AML/KYC programs, retain records, and report suspicious activity. It will also require issuers to have the technological capability and internal processes to block, freeze, and reject illicit transactions.

In less than a year, U.S. stablecoin issuers will be required to adopt a bank-like compliance regime, placing the burden squarely on them to actively monitor, detect, and intervene when illicit flows emerge. For Circle and its peers, the message is becoming unmistakable: if you control the rails, you bear responsibility for what moves across them.