A Malta-based stablecoin issuer operating under the EU's MiCA framework suffered a critical security breach on May 24, 2026, when an attacker exploited a single-point-of-failure in its minting infrastructure to produce $13.5 million in tokens with no backing — marking the first known exploit of a MiCA-regulated stablecoin issuer and triggering a live regulator notification.
StablR, which issues USDR and EURR as euro- and dollar-pegged e-money tokens authorized by the Malta Financial Services Authority, disclosed the incident publicly on May 26 after on-chain investigator ZachXBT flagged suspicious minting activity on X over the weekend. The company froze all minting and redemption for both tokens, asked exchanges to halt trading and deposits, and acknowledged that circulating supply is "currently not fully backed at the 1:1 ratio required under MiCAR."
How the attack worked. Blockchain security firm GoPlus Security identified the structural failure: StablR's Ethereum minting wallet was configured with a 1-of-3 multisig threshold, meaning any single authorized key could approve a transaction unilaterally. The attacker compromised one key, used it to add themselves as an administrator, removed the three legitimate signers, and then minted approximately 8.35 million USDR and 4.5 million EURR — roughly $13.5 million at peg. The design effectively eliminated any meaningful approval requirement, reducing what should be a multi-party control into a single point of compromise.
What they actually made. The $13.5 million in newly minted tokens couldn't be offloaded at face value. Thin DEX liquidity meant the attacker realized approximately $2.8 million after selling into the market, with price impact absorbing the rest. That $10.7 million gap reflects the real cost of the attack to StablR's remaining liquidity pool rather than to the attacker.
Token damage. USDR briefly lost 50% of its peg before partially recovering; it was trading at $0.994 as of May 26. EURR fared worse — it fell to $0.548 against a euro value of approximately $1.16 at the time of writing, a deviation of more than 50 cents on a coin that is supposed to track a single euro. USDR carries a $20 million market cap; EURR, $10 million, per CoinGecko.
Regulatory exposure. The compliance dimension is direct and immediate. As a MiCA-authorized e-money token issuer, StablR is legally required to maintain 1:1 backing — a requirement the company has now publicly acknowledged it cannot meet. The company said it will notify the MFSA of a "Major ICT-Related Incident" under DORA and submit the required notifications under MiCA "at the earliest opportunity." Law enforcement has been engaged and external cybersecurity specialists retained for a forensic investigation.
The incident is the first public test of MiCA's incident-reporting machinery against an actual issuer breach. Whether the regulation's framework — which mandates timely notification but provides limited immediate remediation powers — can protect token holders in a live under-collateralization event is now a live question for both the MFSA and the broader European crypto regulatory apparatus.
StablR CEO Gijs op de Weegh said the company is acting "with full transparency." The board has convened; further disclosures are expected as the forensic investigation proceeds.
Sources: StablR official statement (stablr.com); CoinDesk, May 26, 2026; GoPlus Security on X (@GoPlusSecurity); ZachXBT on X.