StablR Hack 2026 — $3M Exploit Analysis

Weak 1-of-3 multisig allowed attacker to mint $10.4M+ in unbacked stablecoins, extracting $2.8M

Details

Full Description

On May 24, 2026, StablR, a European stablecoin issuer backed by Tether, suffered an exploit after attackers compromised a single private key in a 1-of-3 minting multisig. The attacker added their address as an authorized signer, removed legitimate signers, and minted 8.35 million USDR and 4.5 million EURR — unbacked tokens with a face value of $10.4-13.5 million. The attacker then swapped tokens on DEXes, extracting just 1,115 ETH (~$2.8 million) due to thin liquidity. Both EURR and USDR depegged by more than 20%. StablR froze minting and redemption, and the circulating supply was not fully backed at the 1:1 ratio required by MiCA.

Laundering Analysis

The attacker dumped minted stablecoins across decentralized exchanges, extracting 1,115 ETH (~$2.8M). Portions of illegally minted EURR and USDR were transferred to different exchanges including ChangeNOW, Kraken, Huobi, and WhiteBIT. A small portion entered Tornado Cash mixer. The attacker could not extract full face value due to thin DEX liquidity. Both stablecoins depegged severely, with USDR dropping 30% and EURR 23%.

Sources

Related Hacks

Back to Browse