StablR Hacked: Attacker Mints $13.5M in EURR and USDR After Multisig Key Compromise
Between May 24 and 26, 2026 , an attacker compromised a single private key in StablR 's 1 of 3 multisig minting wallet, used it to add themselves as admin and remove legitimate owners, then minted 8.35 million USDR and 4.5 million EURR worth roughly $13.5 million at peg. Thin on chain liquidity meant the attacker only extracted $2.8 million (1,115 ETH) before the Malta based issuer froze operations. EURR briefly fell to $0.548 , USDR dipped to $0.994 , and both tokens remain under collateralized in direct violation of MiCA's 1:1 reserve mandate. It is the first major hack of a licensed European stablecoin issuer. How the Hack Unfolded The attack did not exploit a vulnerability in StablR's smart contract code. It exploited the configuration of the issuer's on chain minting authority. According to blockchain security firm GoPlus Security , StablR's Ethereum minting wallet used a 1 of 3 multisignature arrangement, meaning any single one of three authorized signers could approve a minting transaction without input from the others [1][2]. An attacker compromised one of those three private keys, added themselves as an administrator, removed the two remaining legitimate owners, and minted 8.35 million USDR and 4.5 million EURR , a combined notional value of approximately $13.5 million at peg [1][3]. The issuer's systems reportedly did not alert the team for several hours after the initial key compromise [4]. Dumping roughly $10.4 million in freshly minted supply into thin DEX order books yielded only 1,115 ETH, worth approximately $2.8 million [2][3]. That gap between notional value and realized proceeds is critical: the shortfall was not returned to reserves, leaving both tokens under collateralized. Blockchain security firm Blockaid , whose exploit detection system flagged the incident first, was direct: "This is not a smart contract bug it's a key management and governance failure." [2] Onchain investigator ZachXBT independently confirmed the exploit and noted that the attacker funded the operation through the CCTP cross chain bridge on the Noble platform in the Cosmos ecosystem [4]. MiCA Reserve Violation and Regulatory Reporting The unauthorized minting placed StablR in direct breach of MiCA's Title IV requirement that e money tokens maintain a 1:1 reserve ratio at all times. StablR acknowledged publicly that the circulating supply of both USDR and EURR is "currently not fully backed at the 1:1 ratio" required under MiCA [1][3]. Both tokens depegged materially. EURR, pegged to the euro at approximately $1.16, fell briefly to $0.548 , a discount exceeding 50 percent. USDR dropped to $0.994 , a smaller deviation that nonetheless confirmed the reserve shortfall [1][3]. | Metric | USDR | EURR | | | | | | Expected peg value | $1.00 | ~$1.16 | | Price at incident trough | $0.994 | $0.548 | | Peg deviation | 0.6% | 52.8% | | Pre incident market cap | ~$20M | ~$10M | | Unauthorized tokens minted | 8.35M | 4.5M | | MiCA compliance status | Non compliant | Non compliant | StablR plans to notify Malta's Financial Services Authority (MFSA) under MiCA's incident reporting rules and the EU's Digital Operational Resilience Act (DORA) , which mandates timely disclosure of significant ICT related incidents by regulated entities [1][3]. External cybersecurity firms and law enforcement have been engaged, and StablR has halted minting and redemption while asking exchanges to suspend trading [1]. Chief Executive Officer Gijs op de Weegh stated the company is acting "with full transparency" as the investigation continues [3]. The Regulatory Timeline Under MiCA and DORA | Date | Event | | | | | May 24, 2026 | Attacker compromises 1 of 3 multisig key; mints 8.35M USDR and 4.5M EURR; Blockaid flags exploit publicly | | May 24 25, 2026 | EURR drops to $0.548; USDR drops to $0.994; DEX liquidity constrains attacker to ~$2.8M realized proceeds | | May 25 26, 2026 | StablR freezes USDR and EURR operations; requests exchange trading halts | | May 26, 2026 | StablR acknowledges MiCA reserve non compliance; initiates MFSA notification under DORA and MiCA | | Ongoing | External cybersecurity investigation; law enforcement engagement; MFSA supervisory review pending | Why 1 of 3 Is Insufficient for a Licensed Issuer A 1 of 3 multisig with no timelock means a single compromised key confers complete and immediate minting authority. For an issuer with over $30 million in combined token market capitalization and MiCA obligations, that threshold is inadequate. Larger stablecoin architectures take different approaches. Circle , issuer of USDC, holds reserves with institutional custodians including BlackRock and BNY Mellon and employs hardware security module backed controls rather than single key sufficient multisig for mint authority [5]. Tether applies multi party approval workflows across distributed infrastructure. BlackRock's BUIDL fund , custodied in part by Anchorage Digital Bank, uses multi party computation (MPC) with offline key storage and multi approval schemes so no single node can authorize a transaction unilaterally [5]. | Issuer | Mint key architecture | Single key risk | Reserve custodian model | | | | | | | StablR (USDR/EURR) | 1 of 3 multisig, no timelock | High: one key grants full access | Segregated accounts at institutional custodians | | Circle (USDC) | HSM backed, multi layer controls | Low | BlackRock, BNY Mellon | | Tether (USDT) | Multi party distributed approval | Low medium | Internal multi entity reserves | | BlackRock BUIDL | MPC with offline storage, multi approval | Very low | Anchorage Digital Bank (federally chartered) | From a MiCA standpoint, the regulation does not currently prescribe a specific signing architecture for on chain mint authority. But the StablR incident gives supervisors at both the MFSA and ESMA a reference case when evaluating whether a licensed issuer's operational controls are adequate under MiCA's broader governance requirements. Implications for European Stablecoin Peer…