StablR—Malta-headquartered, EMI-licensed, MiCA-regulated, backed by both Tether and Kraken—was supposed to be a poster child for Europe’s regulated stablecoin future. But now it became the latest protocol drained through one of the most preventable attack vectors in crypto.
Onchain investigator ZachXBT flagged the exploit first, posting to his investigations channel that two contracts tied to StablR’s euro-pegged EURR and dollar-pegged USDR appeared compromised. He identified the attacker’s primary wallet (0xea480c23d7b29a515856aafe0dc86f7519965a04), noted it had been funded via the Cross-Chain Transfer Protocol (CCTP) on Noble, and listed seven additional addresses linked to the same incident.
The mechanics were blunt. Blockchain security firm Blockaid attributed the breach to a compromised private key tied to StablR’s minting multisig—not a smart contract vulnerability. The multisig operated under a 1-of-3 threshold. One key was enough. The attacker added their own address as an owner, removed the two legitimate signers, then minted 8.35 million USDR and 4.5 million EURR — roughly $10.4 million in unbacked tokens at peg.
EURR fell approximately 39% to $0.7. USDR crashed to as low as $0.40. Thin DEX liquidity limited the attacker’s actual haul to roughly 1,115–1,488 ETH ($2.8M–$3.15M), but the reputational damage extends far beyond the dollar figure.
Blockaid’s follow-up was direct: “This is not a smart contract bug — it’s a key management and governance failure.”
ZachXBT Steps In, StablR Stays Silent
About two hours after his initial alert, ZachXBT posted that he had helped freeze six figures in stolen funds. He then noted the StablR team appeared to be “asleep” while the attack continued for over three hours after being publicly flagged.
StablR acknowledged the exploit — roughly eight hours after onchain activity on the affected contracts had stopped. The company said it had “identified an exploit affecting the protocol” and was working to contain the impact. No recovery plan has been announced at the time of publication.
What MiCA Actually Covers — and What It Doesn’t
This is where the story gets uncomfortable for European regulators.
StablR checked every box the EU’s Markets in Crypto-Assets Regulation asks stablecoin issuers to check. It holds an Electronic Money Institution (EMI) license from the Malta Financial Services Authority (MFSA). It issues tokens backed by fiat and short-term government bonds in segregated accounts. It publishes a whitepaper. It raised €3.3 million in seed funding from Deribit, Maven 11, Theta Capital, Folkvang, and Blocktech, then secured strategic investments from Tether (December 2024) and Kraken (July 2025). By July 2025, it reported €3 billion in transaction volume across 50+ exchanges and 150+ trading pairs.
None of that prevented a 1-of-3 multisig from being the single point of failure controlling its entire minting infrastructure.
MiCA’s requirements for EMT issuers are heavy on reserves, disclosures, redemption rights, and AML/KYC obligations. It mandates governance structures and “operational resilience.” But the regulation does not prescribe specific technical standards for private key management, multisig thresholds, or onchain access controls. It does not require a minimum number of signers on a minting contract. It does not audit the security architecture that stands between a compromised key and unbacked token issuance.
The EU’s Digital Operational Resilience Act (DORA), which became applicable in January 2025, is supposed to complement MiCA by addressing ICT risk management and cybersecurity for financial entities, including CASPs. But DORA’s framework is designed around traditional IT resilience — incident reporting, business continuity, third-party risk management—not the specific attack surface of onchain governance. A 1-of-3 multisig on a minting contract is not the kind of vulnerability DORA was built to catch.
For context: Harmony’s Horizon bridge used a 2-of-5 multisig before being drained for $100 million in 2022. Security analysts had already characterized that setup as insufficient at the time. StablR’s 1-of-3 configuration was objectively weaker — and this was a licensed, regulated issuer operating in 2026.
A Pattern That’s Bigger Than StablR
The exploit fits a recurring 2026 pattern. The costliest incidents this year have not been driven by novel smart contract bugs. They have been driven by privileged-access, key-management, and governance failures at the operational layer.
The $280 million Drift Protocol exploit in April — which also routed proceeds through Circle’s CCTP — was attributed to compromised administrative access. The $80 million Resolv Labs USR exploit in March used near-identical mechanics: a single insufficiently protected key enabling unauthorized minting at scale. MAP Protocol, Echo Protocol, THORChain, and Verus Bridge have all suffered exploits tied to private or admin-key access in the past two months alone.
April was the most-hacked month in crypto history by incident count, according to DefiLlama. May is continuing the trend.
The industry has gotten significantly better at auditing smart contract code. What it has not gotten better at — and what MiCA does not meaningfully address — is the operational security layer that sits between the code and the humans who control it.
The Bigger Problem for Europe’s Stablecoin Ambitions
StablR was not a random DeFi experiment. It was Tether’s strategic proxy in Europe after Tether wound down its own euro stablecoin, EURT, ahead of MiCA’s December 2024 deadline. Kraken’s investment further validated StablR’s position as a key piece of Europe’s regulated stablecoin infrastructure. The company uses Tether’s Hadron tokenization platform and had been actively pitching itself to institutional and enterprise clients.
That positioning makes the 1-of-3 multisig choice harder to explain and harder for regulators to dismiss. If a company at the center of Tether’s European strategy, listed on 50+ exchanges, processing billions in volume, can secure its minting function with the weakest possible multisig configuration — and still maintain full regulatory standing — the framework has a gap.
The question for European regulators is no longer hypothetical. MiCA was built to prevent the next Terra/LUNA. It was not built to prevent the next StablR. Whether the MFSA, ESMA, or the EBA moves to address that gap — by mandating minimum key management standards, requiring third-party security audits of onchain governance architecture, or tightening operational resilience requirements under DORA — will determine whether MiCA remains a reserves-and-disclosure framework or evolves into something that actually covers the full risk surface of stablecoin issuance.
