StablR loses $2.8 million after attacker exploits a single multisig key to mint $13.5 million in unbacked stablecoins

European stablecoin issuer StablR disclosed a cybersecurity incident over the weekend that resulted in the unauthorized minting of approximately $13.5 million in unbacked tokens and a sharp depeg of both its euro and US dollar stablecoins. The company froze minting and redemption operations and is coordinating with law enforcement and external cybersecurity firms as the investigation continues.

The attack was publicly flagged on Sunday by onchain investigator ZachXBT, who spotted anomalous activity in contracts tied to StablR's USDR and EURR tokens on Ethereum. Blockchain security firms Blockaid and GoPlus Security subsequently analyzed the attack vector.

How the attack worked

The vulnerability traced back to a critically weak configuration in StablR's Ethereum minting wallet: a 1-of-3 multisignature setup, where any single one of three authorized key holders could unilaterally approve a minting transaction. Multisignature wallets are designed to require a threshold of approvals before executing sensitive operations — the standard recommendation for stablecoin minting contracts is at least 2-of-3 or higher.

With a 1-of-3 threshold, compromising a single private key was sufficient. Blockchain security firm GoPlus Security said the attacker compromised one key, then used it to add themselves as an administrator, remove the three legitimate signers, and mint tokens freely. The attacker minted approximately 8.35 million USDR and 4.5 million EURR — roughly $13.5 million at the tokens' intended peg values.

To cash out, the attacker offloaded the freshly minted supply through decentralized exchanges. Thin liquidity on DeFi markets — USDR had a $20 million market cap and EURR around $14 million — meant the massive sell order drove prices down sharply. The attacker netted approximately 1,115 ETH, or about $2.8 million, a fraction of the face value they minted.

Market impact

Both stablecoins lost their pegs significantly. EURR, nominally pegged to the euro at approximately $1.15, fell 23% to around $0.88 at the worst point during the weekend. USDR, pegged to the US dollar, dropped to $0.70. As of CoinDesk's reporting on Tuesday, USDR had partially recovered to $0.994, while EURR remained severely depegged at $0.548 — still less than half the euro's dollar value of $1.16.

StablR acknowledged that circulating supply of both tokens "is currently not fully backed at the 1:1 ratio" required by EU regulations. The company asked exchanges to halt trading, deposits, and withdrawals for both tokens while the investigation proceeds.

Regulatory implications under MiCA

StablR's stablecoins operate under the EU's Markets in Crypto-Assets (MiCA) regulation — the comprehensive crypto regulatory framework that took effect across the EU in late 2024. MiCA requires stablecoin issuers to maintain full 1:1 reserve backing, comply with strict operational security standards, and notify regulators promptly following incidents.

StablR said it will notify Malta's Financial Services Authority (MFSA) under both MiCA's stablecoin issuer requirements and the EU's Digital Operational Resilience Act (DORA), which mandates incident reporting for financial entities. The company is Malta-based, making the MFSA its primary EU regulator.

The incident is notable as one of the first significant security failures for a MiCA-regulated stablecoin issuer. How regulators respond — whether with a remediation requirement, a fine, or a license suspension — will be closely watched by the broader EU crypto industry as a signal of how MiCA enforcement handles operational failures versus deliberate misconduct.

Private key exploits keep mounting

The attack adds to a growing list of DeFi incidents this month involving compromised private keys. CoinTelegraph notes that StablR's exploit is one of over a dozen significant crypto attacks in May 2026 alone, joining THORChain, Verus Bridge, Echo Protocol, and Polymarket on the list of recent victims.

The pattern is consistent: protocols that concentrate critical operations — minting, upgrades, fund withdrawals — behind weak multisig configurations or poorly secured private keys continue to be high-value targets. The existence of MiCA compliance requirements did not prevent this attack; the vulnerability was architectural, not procedural. Whether MiCA's forthcoming technical standards for stablecoin issuers will require stronger multisig thresholds is a question regulators and the industry will need to answer.

Tether invested in StablR in December 2024, making it a financial backer of one of the few MiCA-licensed euro stablecoin issuers operating in Europe. Neither Tether nor the broader stablecoin market saw significant contagion from the incident.