StablR Stablecoin Hack Investigation Report
Date: May 27, 2026
Event: StablR EURR/USDR Stablecoin Admin Key Attack
Attack Time: May 24, 2026
Investigator: Onchain Shadow
Executive Summary
MiCA-compliant stablecoin issuer StablR suffered a major security incident. Attackers compromised a 1-of-3 multisig private key, obtained minting permissions, and minted approximately $13.5 million in unbacked stablecoins (8.35M USDR + 4.5M EURR), cashing out approximately $2.8 million (1,115 ETH) through DEX dumping.
Core Irony: StablR holds a Maltese Financial Regulator license, claims MiCA compliance, but minting permissions were protected by only a 1-of-3 multisig—one private key compromised and the entire system fell.
Key Metrics
| Metric | Value |
|---|---|
| Fake Token Face Value | ~$13.5M (8.35M USDR + 4.5M EURR) |
| Actual Cash-Out Amount | ~$2.8M (1,115 ETH) |
| EURR Depeg Extent | -23% ($1.15 → $0.88) |
| USDR Depeg Extent | -30% ($1.00 → $0.40 low) |
| Multisig Configuration | 1-of-3 (one signature suffices) |
| Attack Duration | >3 hours (slow team response) |
Attacker Addresses
| Role | Address | Notes |
|---|---|---|
| Primary Attack Wallet | 0xD4677B5A8B1b97EA213Fdb876b0FcBAB3f9F6CD1 |
Added as multisig owner, then executed minting |
| Secondary Wallet | 0x482aC1a69A41e7657DE6B420B7346FB09DA09115 |
Replaced original compromised owner |
| Tertiary Wallet | 0xbC631Daf86611f32FAA63E7EC8c9c9571F2F5BB3 |
Replaced legitimate owner |
| Compromised Owner | 0xC73fD562de86d7860EE636C20813Bcb2cF4D550d |
Private key stolen |
| ZachXBT Tagged Address 1 | 0xea480c23d7b29a515856aafe0dc86f7519965a04 |
Via CCTP/Noble deposit |
| ZachXBT Tagged Address 2 | 0x09BE1A36c2d7f9909eb3D6F9184c6e46A12B0ACA |
Associated address |
| ZachXBT Tagged Address 3 | 0x6283558eB6948CA50A2bE942D98A41ca4d1Def40 |
Associated address |
| ZachXBT Tagged Address 4 | 0xf1f70d7461356f32b97ddc2cd54a490d4363340e |
Associated address |
| ZachXBT Tagged Address 5 | 0x74b4621b82eb31c5fd9fbad5729bef1813e26dcf |
Associated address |
| ZachXBT Tagged Address 6 | 0x8aaa93d06bf8de94c282f66a16effe6d9d94d038 |
Associated address |
| ZachXBT Tagged Address 7 | 0x5D2184d84b82B67c1818Bbec8ce81E7Df14F6bAb |
Associated address |
Affected Contracts
| Contract | Address |
|---|---|
| USDR Token | 0x7B43E3875440B44613DC3bC08E7763e6Da63C8f8 |
| EURR Token | 0x50753CfAf86c094925Bf976f218D043f8791e408 |
| Multisig Wallet | 0xF45392bd2D6e6b8C5Dc26BA6c8a12889419B82F3 |
Key Transaction Hashes
| Transaction | Hash | Description |
|---|---|---|
| Ownership Change 1 | 0x1f8a6764f66bb5a2438dc62f89bfe52080dbca782444c3757dbf1e1ce3a11bec |
Attacker replaced legitimate owner |
| Ownership Change 2 | 0xde5bc3b7b80576f894fbc7e2c8fea5f8829503bae75dcf30a27725cd95a05f16 |
Attacker replaced original compromised owner |
| Minting Transaction | 0xa720...24ed |
Minted USDR/EURR |
Attack Timeline (UTC)
| Time | Event |
|---|---|
| Before 5/24 | Attacker deposited funds to wallet via CCTP/Noble |
| 5/24 Attack Start | Attacker used compromised private key to operate multisig |
| Step 1 | Added 0xD467...6CD1 as multisig new owner |
| Step 2 | Replaced legitimate owner 0xD4b6...aD40 → 0xbC63...5BB3
|
| Step 3 | Replaced compromised owner 0xC73f...550d → 0x482a...9115
|
| Step 4 | Minted 8.35M USDR + 4.5M EURR via 0xD467...6CD1
|
| Step 5 | Dumped on Uniswap and other DEXs for ETH |
| Step 6 | Used admin privileges to blacklist/burn 2.7M EURR from legitimate users |
| 3+ hours | StablR team unresponsive; ZachXBT helped freeze 6-figure funds |
| 8 hours later | Attack stopped; StablR issued statement |
Technical Analysis
Root Cause: 1-of-3 Multisig = Single Point of Failure
StablR's minting multisig was configured at 1-of-3 threshold, meaning any 1 of 3 signers could authorize transactions. This degraded the entire stablecoin system's security to a single private key.
Comparison:
- Harmony Horizon Bridge (2022, $100M hack): At least 2-of-5
- Industry Standard: 2-of-3 or 3-of-5 + hardware wallets + geographic distribution
- StablR: 1-of-3 — weaker than a bridge hacked two years ago
Attack Method Breakdown
-
Key Acquisition: Attacker obtained private key of owner
0xC73f...550d(method undisclosed; possible phishing/malware/supply chain attack) -
Permission Takeover: Using 1-of-3 threshold, just one signature enabled:
- Adding attacker address as new owner
- Removing legitimate owners
- Obtaining 100% multisig control
- Unlimited Minting: Called mint function via compromised multisig
- DEX Cash-Out: Dumped newly minted tokens on Uniswap and other DEXs; shallow liquidity pools resulted in significant discounts
- Countering Legitimate Users: Used admin privileges to blacklist+burn legitimate user tokens, preventing redemption
Why Only $2.8M Cash-Out from $13.5M Face Value?
- USDR/EURR DEX liquidity pools extremely shallow (EURR market cap only $14M; USDR market cap $11M)
- Large dumps caused massive slippage
- Depeg triggered panic selling, further deteriorating prices
Background & Impact
Who is StablR?
- Malta-registered EMI (Electronic Money Institution) license holder
- Uses Tether's Hadron tokenization infrastructure
- Received Tether strategic investment in December 2024
- Received Kraken investment in July 2025
- Claims EURR/USDR trading volume exceeded €3 billion in H1 2025
- MiCA compliant; reserve funds held in segregated accounts
2026 DeFi Attack Pattern Shift
According to DefiLlama data:
- 70%+ of 2026 large DeFi losses stem from key/management permission theft, not smart contract vulnerabilities
- April single month lost $634 million across 28+ incidents, worst month on record
- LayerZero bridge exploits (18%), admin key theft (16%), fake tokens (14%), private key leaks (11%)
- This case belongs to the same attack pattern as Echo Protocol and Drift Protocol
Irony of European Stablecoin Regulation
- Attack occurred as ECB pushed for tighter euro stablecoin liquidity rules
- ECB President Lagarde just stated euro stablecoins pose potential financial stability risks
- EURR accounts for only 0.24% of Ethereum fiat stablecoin total
- MiCA compliance ≠ Technical Security
Pending Deep Investigation Areas
- Attacker Identity Tracing: Trace KYC information at CCTP/Noble deposit source
- Compromised Key Acquisition Method: Phishing/insider/supply chain?
- ZachXBT's 7 Tagged Associated Addresses: Complete fund flow mapping
- Burned 2.7M EURR: Whose assets were destroyed? Legal consequences?
- Tether/Kraken Investor Responsibility: Did they conduct adequate technical due diligence?
- Fund Freeze Progress: Was 6-figure freeze successful? Where did remaining funds go?
Data Sources
- BeInCrypto - Echo Protocol Hack Autopsy
- Cointelegraph - StablR EURR USDR depeg
- CryptoCompass - StablR Technical Analysis
- CryptoWisser - StablR Stablecoins Lose Peg
- Blockonomi - ZachXBT Flags StablR Exploit
- ZachXBT Telegram/X posts (May 24, 2026)
- Blockaid real-time exploit detection
Investigator: Onchain Shadow
Disclaimer: This report is based on publicly available on-chain data and media reports for security research purposes only.
🔒 Protect Your Crypto with ChainSentinel
ChainSentinel — AI-powered on-chain risk intelligence platform:
- Real-time Risk Scanning — Check any address for rug pulls, phishing, and exploit risks
- Multi-Chain Monitoring — Ethereum, BSC, and more
- AI-Powered Analysis — Gemini-driven risk engine
👉 Try ChainSentinel Free | Pro Plan - $29/month
Stay safe on-chain. Get alerts before the next exploit.
Top comments (0)