A Hacker Printed $13.5M in Fake Euros and Dollars — and Europe's Flagship Stablecoin Law Couldn't Stop It
One key. That’s all it took to print $13.5 million in counterfeit stablecoins.
Not a zero-day. Not a reentrancy bug. Not a $50M audit and a 200-page security report that missed something. Just one compromised private key in a wallet configured so sloppily that any single signer could act alone — and a hacker who knew exactly where to look.
StablR, the Malta-based issuer of USDR and EURR, was exploited this week. The attacker minted 8.35 million USDR and 4.5 million EURR — tokens with a combined face value of $13.5 million — then dumped them on decentralized exchanges, pocketing roughly $2.8 million in real ETH before the peg collapsed under the selling pressure.
Both stablecoins are now frozen. USDR depegged as low as $0.63. EURR, which is supposed to track the euro at ~$1.16, cratered to $0.55.
And here’s the kicker: StablR is supposed to be MiCA-compliant. Europe’s landmark stablecoin law — held up as the regulatory gold standard the world should copy — just watched one of its flagship issuers get obliterated by a 1-of-3 multisig.
What Actually Happened
Security firm GoPlus identified the root cause almost immediately: StablR’s Ethereum minting wallet was protected by a multisignature scheme with a 1-of-3 threshold. That means any one of three keyholders could approve and execute a transaction entirely on their own, with zero additional sign-off.
The attacker compromised one key. That was enough.
Once inside, the sequence was surgical:
- Add themselves as an administrator on the minting contract
- Remove the existing legitimate signers
- Mint 8.35M USDR and 4.5M EURR — $13.5M face value in unbacked tokens
- Dump everything across DEX liquidity pools
- Walk away with
1,115 ETH ($2.8M) before slippage ate the rest
The market cap of USDR at the time of the attack was ~$20M. The market cap of EURR was ~$10M. The attacker didn’t just drain the protocol — they flooded it with fake supply equal to nearly half the real float.
Blockaid, another blockchain security firm, framed it bluntly: this was not a smart contract flaw. This was an access control failure. The code did exactly what it was told. The problem was who was doing the telling.
The MiCA Irony
The timing and context here are brutal for European regulators.
MiCA — the EU’s Markets in Crypto-Assets regulation — came into full force in 2024 and is routinely cited as the global benchmark for stablecoin oversight. Its requirements for issuers include reserve attestations, licensing, consumer protections, and operational resilience standards under the Digital Operational Resilience Act (DORA).
StablR was operating under this framework. It is licensed in Malta, the jurisdiction that handles MiCA approvals for many EU crypto companies. CEO Gijs op de Weegh confirmed the company is notifying Malta’s financial regulator and says it is acting “with full transparency.”
That’s the right move. But it doesn’t change the outcome: a MiCA-licensed stablecoin issuer got owned because their minting contract used a 1-of-3 signature threshold.
MiCA mandates operational resilience. It does not, apparently, mandate that you need more than one person to print unlimited money.
Adding salt to the wound: StablR had not published a fresh reserve audit in 2026. The most recent reserve data visible to the market was from Q4 2025. The team had also gone two months without a public communication update before the exploit forced their hand.
The Numbers
| Metric | Value |
|---|---|
| USDR minted (unbacked) | 8.35 million |
| EURR minted (unbacked) | 4.5 million |
| Total face value of unbacked tokens | ~$13.5 million |
| Attacker’s actual profit | ~$2.8M (1,115 ETH) |
| USDR depeg low | $0.63 (37% below peg) |
| EURR depeg low | ~$0.55 (53% below euro parity) |
| USDR market cap at attack | ~$20M |
| EURR market cap at attack | ~$10M |
What Happens Now
StablR has suspended all minting and redemption for both USDR and EURR. The company has asked exchanges to halt trading, deposits, and withdrawals on both tokens.
Under MiCA and DORA, StablR is obligated to notify regulators, bring in external cybersecurity firms, and cooperate with law enforcement. That process is now underway.
Whether USDR and EURR ever re-peg is a confidence question, not a technical one. The attacker’s tokens are out in the wild. The circulating supply is poisoned with unbacked units. Restoring trust after a freeze requires independent audits, re-collateralization, and a credible explanation for why a 1-of-3 minting wallet was ever acceptable in production.
None of that happens fast.
Why This Matters for Crypto Jobs
The StablR hack is going to move headcount across the entire stablecoin industry — both in the short term and structurally.
Smart contract security engineers are about to get very expensive phone calls. Every regulated stablecoin issuer is re-examining their multisig configurations right now. The question “do we have a 1-of-3 anywhere critical?” is being asked in Slack channels from Amsterdam to Singapore. The engineers who can audit, harden, and certify smart contract access control are the ones getting hired.
Protocol security roles — often undervalued relative to product engineers — are suddenly front-page priority. MiCA compliance teams are realizing that DORA’s operational resilience requirements have teeth, and “we had an audit in 2024” isn’t going to hold up under regulatory scrutiny.
Stablecoin infrastructure engineers with experience in reserve management, on-chain attestation, and incident response are in demand across both crypto-native issuers and the TradFi banks now building their own stablecoin products. The GENIUS Act just passed the US Senate. Every institution exploring dollar-pegged tokens needs people who understand what just happened to StablR — and how to make sure it never happens to them.
Compliance and regulatory affairs roles are multiplying. The post-MiCA compliance burden just got heavier. Every EU-licensed issuer needs legal teams who understand their notification obligations and can interface with national regulators under crisis conditions.
The lesson isn’t “stablecoins are unsafe.” The lesson is: multi-signature wallet hygiene, access control audits, and operational security are now table-stakes for any regulated issuer — and the people who can deliver that are worth a lot right now.
Looking for your next role in crypto security, stablecoin infrastructure, or DeFi compliance? Browse open positions at cryptogrind.com — the jobs board built for crypto and Web3 builders.
Discussion
Comments are powered by GitHub. Sign in with your GitHub account to chime in.