- Key insight: A class action in Massachusetts argues Circle's ability to freeze tokens at any wallet address creates a higher anti-money-laundering duty than banks face under the Bank Secrecy Act.
- What's at stake: If regulators side with Tether's approach, banks issuing or partnering on stablecoins could face an obligation to freeze customer funds in real time, a duty no traditional bank has.
- Expert quote: Columbia Business School adjunct professor Omid Malekan defended Circle's restraint, writing that if issuers freeze beyond what the law requires, "not only is code not law, but also law is not law."
Overview bullets generated by AI with editorial review
North Korean hackers drained about $280 million from a crypto exchange on April 1 and spent the next eight hours moving the stolen money through Circle Internet Group's stablecoin network. Amid the public clamor about the ongoing exploit, Circle did not intervene.
Circle, which issues the USDC stablecoin, can freeze its tokens at any wallet address — a power its
It did not use that power during
When asked whether the company knew about the Drift attack when it was happening, a spokesperson for Circle told American Banker that the company does not comment on ongoing litigation.
The spokesperson also pointed to
Rival stablecoin issuer Tether Holdings has been doing the opposite for years.
The issuer announced three weeks after the North Korean heist that it had supported the U.S. government in freezing $344 million in USDT across two wallets. The next day, the U.S. Treasury Department linked the frozen funds to Iran, framing the freeze as part of efforts to disrupt Tehran's sanctions evasion.
As federal agencies finalize rules implementing the 2025 GENIUS Act, and a Massachusetts federal court weighs a class action lawsuit testing Circle's anti-money-laundering duties, the divergent approaches raises a major question:
Must a stablecoin issuer freeze customer funds in real time during an active heist?
Multiple federal entities are poised to potentially answer, including the OCC and the Treasury Department's Financial Crimes Enforcement Network, or Fincen, through pending rulemakings; federal courts, through the McCollum v. Circle class action; or Congress, through legislation Circle is lobbying for.
But, what if the government doesn't answer? Would the issuers themselves do so through self-regulation?
Banks thinking about jumping into the stablecoin pool will want to know the answers to these questions before they pick a counterparty.
The eight-hour window
A stablecoin is a dollar-pegged token issued on a public blockchain and redeemable for actual dollars held in reserve. USDC is Circle's; USDT is Tether's.
Each issuer mints and burns tokens, and each can freeze them at any specified wallet address.
This contrasts with the control that banks have. A bank can control cash within the institution itself. Stablecoin issuers can freeze tokens wherever they are.
That control can stop crime, but it can also enable it. In particular, it enabled the $280 million North Korean crypto heist earlier this month.
The attackers spent months socially engineering staff at crypto exchange Drift before the heist, the
In under 12 minutes, they transferred about $280 million in assets to two wallets they controlled, according to the complaint. Then, they got into the getaway car.
The attackers swapped the stolen assets for USDC then used a Circle protocol: a so-called bridge, which burns tokens on one blockchain and mints equivalents on another. Using the bridge, the attackers moved about $230 million to ethereum over roughly eight hours, according to the complaint.
Drift
"Through continuing updates and discussion on X, and direct contact from Drift, Circle learned of the exploit and the attackers' use of USDC to offload the funds onto the Ethereum blockchain," the lawsuit alleges.
Once on ethereum, the attackers swapped USDC for ether, which no one can freeze. The money was gone.
Circle could have frozen the assets or blacklisted the attackers' wallet from using the bridge during the eight-hour getaway, according to the complaint.
Nine days before the Drift heist, Circle had allegedly done exactly that in another matter. On March 23, the company froze USDC held in 16 wallets tied to a sealed civil lawsuit in federal court, according to the complaint.
Two issuers, two playbooks
Circle's position is that discretionary freezes, such as what it could have implemented during the Drift heist, are off the table.
"Our ability to freeze funds is a compliance obligation," Circle's Disparte wrote in the April 10 blog post, "exercised only when we are legally compelled by an appropriate authority, through lawful process."
Freezing unilaterally would set a dangerous precedent and create a new vector for political abuse, he wrote.
Circle CEO Jeremy Allaire defended the same position publicly at an April 13 press conference in Seoul. A private company freezing user funds at its own discretion would create a "moral quandary," Allaire said, according to
Tether's posture runs the other direction.
The $344 million freeze brought the cumulative total of funds Tether has frozen to more than $4.4 billion, including more than $2.1 billion connected to U.S. authorities, according to
Tether CEO Paolo Ardoino used the announcement to draw a contrast with Circle.
Recent events "have shown what happens when platforms fail to move quickly," Ardoino said in the company press release.
Drift, licking its wounds, concurs. When it relaunches, the exchange will drop USDC in favor of USDT for settlement, according to an April 16
Despite the big talk, Tether is still quite popular among people seeking to evade sanctions. In 2025, nearly 95% of inflows to sanctioned entities and jurisdictions came in the form of stablecoins, according to
Tether and a separate Russian stablecoin made up "the majority" of these inflows, according to the report.
The Bank Secrecy Act question
A Drift user named Joshua McCollum filed the proposed class action against Circle on April 14 in the U.S. District Court for the District of Massachusetts. The complaint makes an argument bank compliance officers will recognize:
"Circle itself had a duty to monitor suspicious activity," the complaint alleges, arguing that the cross-chain protocol's sole purpose is money transmission under the Bank Secrecy Act, or BSA.
The suit alleges Circle aided and abetted conversion (the wrongful exercise of dominion over someone else's property) and that the company was negligent.
Banks generally have no control over transactions to which they are not a party, making this case unique to the era of stablecoins.
A correspondent bank that sees a suspicious wire during an ongoing fraud files a Suspicious Activity Report and may reject the transaction under reasonable-cause standards. It does not (and, almost always, cannot) unilaterally claw back funds that have already moved.
Circle's smart-contract architecture is different. The attorneys representing people such as McCollum, who lost money in the Drift heist, are proposing a new legal theory: A stablecoin issuer's ability to freeze tokens at any address creates a different and higher duty, closer to a bank freezing a deposit account under legal process.
The BSA requires U.S. financial institutions to maintain anti-money-laundering monitoring programs and file SARs. Circle is registered with Fincen as a money services business (a category subject to BSA reporting rules) and already files SARs.
Money services businesses have 30 days to file a SAR, but in situations involving "ongoing money laundering schemes" they must "immediately notify by telephone an appropriate law enforcement authority in addition to filing," according to
The McCollum case is asking a federal judge to decide whether that immediate-notification duty extends to freezing specific wallets during a hack.
Not everyone agrees Circle is wrong. Omid Malekan, a Columbia Business School adjunct professor, argued in an
If issuers freeze funds beyond what the law requires, Malekan wrote, "not only is code not law, but also law is not law."
Allowing corporate discretion to substitute for legal process, he wrote, would recreate exactly the financial-censorship dynamic that crypto was designed to escape.
What the OCC does next
The OCC published its proposed stablecoin rule on Feb. 25 to implement the GENIUS Act's new category of "permitted payment stablecoin issuer," according to
The proposal covers reserves, custody, capital, disclosures and third-party risk. It does not directly address whether issuers must freeze funds during an active hack.
A separate joint proposal from Fincen and Treasury's Office of Foreign Assets Control would treat permitted payment stablecoin issuers as financial institutions under the BSA, according to
That proposal would also require (for the first time in U.S. law) mandatory sanctions compliance programs at stablecoin issuers. But, this proposal leaves the real-time freeze question open, too.
Circle sits squarely inside this emerging GENIUS Act framework. On Dec. 12, the OCC conditionally approved five national trust bank charters for digital asset firms,
National trust banks generally don't take insured deposits or lend, but they do fall under the OCC's ongoing safety-and-soundness expectations. If the OCC's final rule imposes explicit freeze obligations, Circle will be among the first institutions supervised under them.
Drift's $280 million loss was a fraction of the $2.02 billion that North Korea-linked actors stole in crypto in 2025 — a 51% increase over 2024, according to
The pattern is unlikely to change. Banks moving into stablecoin custody or issuance under the OCC's GENIUS Act framework will want to know whose playbook (Circle's or Tether's) the regulator endorses before North Korea strikes again.
