Share
On April 1, 2026, a coordinated attack on Solana-based derivatives platform Drift Protocol led to roughly $285 million in losses, with a large portion denominated in USDC moving freely across chains.
The transfers occurred through Circle’s Cross-Chain Transfer Protocol during US business hours, yet no freeze action was taken. This gap between Circle’s ability to freeze funds and its lack of action during the exploit is now driving criticism across the crypto industry.
Drift Protocol, one of the leading perpetual DEXs on Solana, has been hacked for approximately $213M. This makes it the biggest hack of 2026 so far, and one of the largest ever on the Solana blockchain, right behind the Wormhole Bridge exploit of 2022.
The full details of the…
— Charles Guillemet (@P3b7_) April 2, 2026
Drift confirmed the exploit was not caused by a smart contract flaw but by a coordinated operational breach. According to the team’s disclosures published on April 2, 2026, the attacker secured multisig approvals in advance using durable nonce accounts, allowing pre-signed transactions to execute later and giving the attacker timed control over protocol permissions.
The attacker was able to:
– Pre-position access using durable nonce accounts
– Obtain sufficient multisig approvals (2/5 multisig approval)
– Execute a malicious admin transfer within minutes, gaining control of protocol-level permissions
– Use that control to introduce a…— Drift (@DriftProtocol) April 2, 2026
This enabled rapid control over protocol permissions and removal of withdrawal limits. Funds were drained across multiple assets, including USDC, SOL, and wrapped Bitcoin. Data from DeFiLlama shows Drift’s total value locked fell from about $550 million to nearly $247 million after the attack, while its DRIFT token dropped around 28 percent.
On-chain investigator ZachXBT stated that more than $230 million in USDC linked to the exploit was bridged from Solana to Ethereum through Circle’s infrastructure without interruption. In a public post on April 1, 2026, he said that “value was moved and nothing was done,” pointing to a window of several hours where intervention appeared possible.
Circle was asleep while many millions of USDC was swapped via CCTP from Solana to Ethereum for hours from the 9 figure Drift hack during US hours.
Value was moved and nothing was done yet again.
Comes days after you froze 16+ business hot wallets incompetently which is still… pic.twitter.com/T0Xwg1HIfO
— ZachXBT (@zachxbt) April 2, 2026
Security researcher Specter noted that the attacker held USDC across multiple wallets for one to three hours before bridging, while avoiding conversion to Tether. The pattern indicates the attacker operated with the expectation that no freeze action would occur.
I was so pissed today watching the attacker using USDC with no fear
They even held the USDC across multiple wallets for 1–3 hours before swapping.
They clearly knew Circle wouldn’t and, they avoided swapping to USDT during the bridging process.
— Specter (@SpecterAnalyst) April 2, 2026
The criticism intensified because of Circle’s earlier enforcement actions. On March 23, 2026, the company froze 16 USDC wallets linked to a sealed US civil case, affecting exchanges, casinos, and payment services. ZachXBT later argued that available on-chain data suggested those wallets were involved in legitimate activity.
This contrast has become the central point of criticism against Circle’s enforcement decisions. In one case, funds were frozen quickly with limited public explanation. In another, a confirmed nine-figure exploit unfolded without visible intervention despite funds moving through Circle’s own infrastructure.
The incident has renewed concerns about how centralized stablecoin issuers apply their authority. Circle has the ability to freeze USDC, yet the criteria and timing of those actions remain unclear to users and developers.
There are also constraints. Freezing funds requires internal verification and may depend on legal thresholds, especially when attribution is uncertain. Acting prematurely could expose issuers to regulatory or legal consequences.
Even so, timing proved critical in this case. By the time funds were converted into roughly 129,000 ETH on Ethereum, recovery options had narrowed.
Circle has not issued a detailed public response as of April 2, 2026. For teams building on USDC, the episode highlights a structural trade-off: control exists, but its application is not always predictable during real-time incidents.
Share
