The attacker minted 8.35 million USDR and 4.5 million EURR tokens, a combined face value of roughly $13.5 million, then dumped tokens worth approximately $10.4 million at face value across decentralised exchanges. Because DEX liquidity was thin, slippage reduced the actual proceeds to approximately 1,115 ETH, worth around $2.8 million at the time.

USDR fell as low as $0.40 against its $1.00 peg, a 60% drop. EURR, which tracks the euro at roughly $1.15, fell to $0.85, a decline of about 26%. At the time of the attack, EURR carried a market cap of around $14 million and USDR around $11 million.

On-chain investigator ZachXBT flagged the incident publicly, writing on Telegram: "Two contracts related to European stablecoin issuer StablR appear to have been potentially exploited for approximately $10M (EURR and USDR)." ZachXBT identified the primary attacker wallet as 0xea480c23d7b29a515856aafe0dc86f7519965a04, with seven additional linked wallets. He later reported helping to freeze a low six-figure sum, though the exact amount was not disclosed. StablR had issued no public statement on X as of press time, despite the exploit running for at least three hours.

The vulnerability was not in the smart contract code itself. Blockchain security firm Blockaid characterised the incident as not a smart contract bug but a key management and governance failure.

StablR's minting contract used a 1-of-3 multisig structure, meaning just one of three authorised keys needed to sign any transaction. Once the attacker compromised a single owner key, they added themselves as administrator, removed all existing administrators, and proceeded to mint freely. Industry standards for treasuries of this size typically require a 3-of-5 signing threshold or higher. The attacker funded initial operations through the Cross-Chain Transfer Protocol (CCTP) on the Noble blockchain before bridging to Ethereum.

StablR is no minor project. The Malta-headquartered issuer holds an Electronic Money Institution licence from the Malta Financial Services Authority, obtained in July 2024, and operates under the EU's MiCA framework for crypto assets. Tether took a significant equity stake in the company in December 2024, backing EURR and USDR as part of its European expansion after regulatory pressure forced Tether to suspend its own euro-pegged token. StablR also uses Tether's Hadron platform for compliance tooling including KYC and AML processes. EURR had processed over 3 billion euros in transaction volume in the first half of 2025 and was listed on Kraken, Bitfinex, Bybit, HTX, and more than 50 other exchanges.

The incident carries practical implications well beyond Europe. Dollar-pegged stablecoins like USDR have become embedded in remittance corridors connecting European diaspora communities to West Africa and South Asia. Nigeria alone processed roughly $26 billion in stablecoin transaction volume in 2024, according to the Transak Africa Fintech Report 2026, and accounts for 40% of stablecoin inflows across Sub-Saharan Africa, according to TRM Labs. Stablecoins now represent more than 60% of crypto-based remittance flows into the region, per TRM Labs data. Any user or business holding USDR during the depeg took direct losses with limited recourse available based on current information.

Beyond spot losses, IMF research published in 2026 found that a 1% increase in net stablecoin inflows raises parity deviations by 40 basis points and can depreciate local currencies in markets with restricted foreign exchange access, including Nigeria and Pakistan.

Projects that integrated StablR tokens as collateral or liquidity, including those in the Concordium ecosystem following a September 2025 integration, may face impairment risk. The extent of any exposure has not yet been confirmed and warrants further reporting before firmer conclusions can be drawn.

The exploit also undermines a key sales pitch that StablR and its peers have made to payment aggregators and fintech builders in emerging markets: that MiCA licensing signals a higher tier of operational safety. It does not, at least not automatically. A licensed, Tether-backed issuer with compliance tooling in place still ran its minting contract with a single-signature threshold on a three-key multisig.

For regulators in Pakistan, which launched a stablecoin sandbox in late 2025, and in Nigeria, where the SEC has been building a crypto asset framework, this incident is likely to sharpen demands for mandatory security standards tied to any foreign stablecoin seeking access to local payment corridors.

The StablR breach follows a pattern that has defined the first half of 2026. DeFi lost more than $600 million in the first three weeks of April alone, across incidents with varied attack vectors. Resolv's USR stablecoin suffered a near-identical attack in which 80 million unbacked tokens were minted and roughly $25 million extracted. The Drift Protocol exploit in April was also linked to compromised multisig signers. Compromised key management has emerged as a recurring attack vector, yet the sector has not treated it as the infrastructure-level problem it is. Until it does, regulatory licensing and brand backing will continue to offer users less protection than they assume.