Quick Insights

  • Malta-based StablR froze minting and redemption for its USDR and EURR stablecoins after an attacker minted roughly $13.5 million in unbacked tokens over the weekend.
  • The attacker exploited a 1-of-3 multisig wallet, compromising a single key, adding themselves as administrator and removing the legitimate signers.
  • Thin DEX liquidity meant the attacker netted only around $2.8 million in ETH despite dumping $10.4 million in face value, but both tokens lost their pegs.
  • StablR, which is backed by Tether and Kraken, has acknowledged its tokens are no longer 1:1 backed as required under the EU's MiCA regulation.

European stablecoin issuer StablR has suspended its USDR and EURR tokens after a weekend cyberattack left both assets under-collateralised. An attacker exploited a weakness in the company's wallet setup to mint roughly $13.5 million in unbacked tokens, then dumped them on decentralised exchanges. The breach is notable not for its sophistication but for the opposite: it was enabled by a basic configuration choice that security researchers say should never have been in place at a regulated issuer.

A 1-of-3 Multisig Is Just a Single Point of Failure

The exploit traces to how StablR secured its minting contract. The minting wallet used a 1-of-3 multisignature configuration, meaning any one of three authorised owners could approve a transaction alone. That design offers no more security than a single private key, because compromising any one of the three keys grants full control.

That is exactly what happened. According to security firm Blockaid, the attacker compromised a single key, added themselves as an owner, removed the two legitimate signers, and took complete administrative control of the minting function. They then minted approximately 8.35 million USDR and 4.5 million EURR, around $13.5 million in unbacked tokens at peg, and swapped roughly $10.4 million of it for ETH across decentralised exchanges.

"This is not a smart contract bug. It's a key management and governance failure."

Blockaid, blockchain security firm

The distinction matters. StablR's token contracts functioned exactly as designed. There was no clever code exploit. The attacker simply seized the keys to the printing press because the lock on that press only required one of three keys. For comparison, Harmony's Horizon bridge used a 2-of-5 multisig before being drained for $100 million in 2022, and security analysts had already called that setup insufficient at the time. StablR's 1-of-3 configuration was objectively weaker, and it was running at a licensed, regulated issuer in 2026.

The Tokens Depegged and the Response Was Slow

The impact on the tokens was immediate. EURR fell as low as $0.55 against a euro worth around $1.16, and USDR dropped to as low as $0.40 before recovering. Both have partially stabilised, with USDR back near $0.99 and EURR clawing back ground, but the under-collateralisation remains until StablR resolves the gap.

How the StablR Breach Unfolded
  • Single key compromised: the attacker gained control of one of three multisig owners
  • Admin takeover: they added themselves as owner and removed the legitimate signers
  • $13.5M minted: 8.35M USDR and 4.5M EURR created with no backing
  • $2.8M netted: thin DEX liquidity limited the actual haul despite $10.4M dumped
  • Funds partly frozen: payments app Oobit froze six figures after ZachXBT flagged the attack

The response drew criticism. On-chain investigator ZachXBT flagged the exploit on Saturday night and helped freeze a portion of the stolen funds, but noted the StablR team appeared to be "asleep" while the attack continued for more than three hours after being publicly flagged. StablR acknowledged the incident in a statement roughly eight hours after the on-chain activity ceased. The payments app Oobit, which had offered EURR off-ramps, disabled the service and froze six figures of the stolen funds, denying the attacker an easy laundering route.

StablR said it detected "irregularities" through internal alerts and has frozen all token operations while it investigates with external cybersecurity firms and law enforcement. CEO Gijs op de Weegh said the company is acting "with full transparency." The firm plans to notify the Malta Financial Services Authority under the EU's Digital Operational Resilience Act and MiCA reporting rules.

A MiCA Licence Did Not Prevent This

The most uncomfortable detail is StablR's regulatory status. StablR is a MiCA-compliant electronic money institution, backed by Tether and Kraken, and it crossed €3 billion in transaction volume in the first half of 2025 across more than 50 exchanges. MiCA requires that stablecoins maintain full 1:1 backing, and StablR has now acknowledged its circulating supply does not meet that threshold.

This exposes a real gap in how stablecoin regulation works. MiCA governs reserves, disclosures, redemption rights and consumer protections. It does not audit an issuer's internal key-management or multisig configuration. A company can be fully compliant on paper, holding genuine 1:1 reserves, while securing its minting function with a setup no competent security team would approve. Regulatory compliance verified that StablR's reserves existed. It did nothing to verify that the keys controlling token issuance were properly secured.

The incident fits a clear 2026 pattern. The costliest exploits this year have not come from novel smart contract bugs. They have come from privileged-access, governance and key-management failures at the operational layer, the same category that drove the $280 million Drift Protocol exploit in April. As more regulated issuers bring stablecoins to market under MiCA and the US GENIUS Act, the StablR breach is a warning that a licence and real reserves are necessary but not sufficient. The keys that control issuance have to be secured to the same standard, and right now no regulator is checking that they are.

Disclaimer: Nakamoto Daily provides information for educational and entertainment purposes only. Nothing published here constitutes financial, investment, or trading advice. Readers should conduct their own research and consult a qualified financial adviser before making any investment decisions.