When state-affiliated hackers route stolen funds through your own infrastructure, silence is not an option. Circle, the issuer of USDC, chose not to stay silent after the April 1 Drift exploit. Its formal policy statement — published this week — is the most detailed public clarification the company has issued on its freeze authority to date. The document addresses a question the DeFi community has debated for years, and it does so with a specificity and legal framing that has direct implications for the stablecoin regulatory debate now moving through the US Senate.
$270M Stolen by North Korean Hackers via Circle’s Own Bridge
On April 1, 2026, Drift Protocol — a decentralized perpetual exchange on Solana — lost approximately $270 million to UNC4736, a North Korean state-affiliated group also known as AppleJeus and attributed to the Lazarus Group’s operational infrastructure. A significant portion of the stolen funds was converted into USDC and bridged using Circle’s Cross-Chain Transfer Protocol (CCTP), putting Circle’s own rails directly in the path of the asset movement.
The routing of stolen funds through CCTP immediately raised public pressure on Circle to explain why it had not frozen the assets faster. That question became the organizing thread of Circle’s response.
Circle: We Freeze When the Law Compels Us, Not When We Choose To
Circle’s central argument draws a sharp line between legal obligation and unilateral discretion. The company does not freeze USDC because it decides to — it freezes USDC when the law requires it to.
“When Circle freezes USDC, it is not because we have decided, unilaterally or arbitrarily, that someone’s assets should be taken from them. It is because the law requires us to act.”
The triggers Circle identified are specific: sanctions orders, law enforcement requests, court mandates, and statutory requirements. Social media pressure, public outcry, and internal moral judgment are explicitly excluded. The company framed this constraint not as a limitation but as a design principle that protects users.
“This is not a backdoor. It is not algorithmic surveillance. It is what the rule of law looks like in the context of internet-native financial activity.”
The protective argument follows directly: the same legal framework that allows Circle to act when compelled by law is the same framework that shields every USDC holder from arbitrary or politically motivated asset seizure. Unconstrained freeze authority would be more dangerous to users than the current legally constrained model — even when that constraint slows the response to a hack.
The Speed Gap: Technology Moves Faster Than Legal Frameworks
Circle’s more forward-looking argument targets the structural problem the Drift exploit exposed. The technical tools to intervene more rapidly already exist. The legal frameworks that would authorize faster coordinated action — while preserving privacy and property rights — do not.
“That gap is not an accident. It is the predictable result of regulation that has not kept pace with the technology it governs.”
By the time lawful freeze requests move through existing legal channels, stolen funds have already been bridged, swapped, and layered across multiple protocols. The Drift exploit illustrates this precisely: UNC4736 routed funds through CCTP within hours of the attack, well before any legal process could be initiated and completed.
Circle explicitly called for passage of both the GENIUS Act and the CLARITY Act, framing them as the legislative opportunity to build rapid-intervention frameworks before the next major exploit forces a crisis response that compromises DeFi’s foundational openness. The closing line of the statement was direct:
“Good technology should not be a vehicle for bad outcomes.”
Why This Statement Matters for the Stablecoin Debate
The Circle statement arrives at a moment when the GENIUS Act — the stablecoin-specific legislation currently stalled in the Senate Banking Committee over the stablecoin yield dispute — is being debated alongside the broader CLARITY Act market structure bill. Circle’s public push for both pieces of legislation is a deliberate lobbying move as well as a policy statement.
For USDC holders and institutional users, the statement resolves a question that has hung over the token since Circle built freeze capability into its smart contract: the authority is real, it will be used, and it will only be triggered by lawful legal process — not by Circle’s judgment of what is right. That is the bargain at the center of a legally compliant, regulated stablecoin. The Drift exploit made that bargain visible in a way that no policy document had managed to do before.
