← All Reports

StablR Exploit Investigation: Stablecoin Depegging Attack

📅 2025-05-27

stablecoin depeg exploit

StablR Stablecoin Hack Investigation Report

Date: May 27, 2026

Event: StablR EURR/USDR Stablecoin Admin Key Attack

Attack Time: May 24, 2026

Investigator: Onchain Shadow

Executive Summary

MiCA-compliant stablecoin issuer StablR suffered a major security incident. Attackers compromised a 1-of-3 multisig private key, obtained minting permissions, and minted approximately $13.5 million in unbacked stablecoins (8.35M USDR + 4.5M EURR), cashing out approximately $2.8 million (1,115 ETH) through DEX dumping.

Core Irony: StablR holds a Maltese Financial Regulator license, claims MiCA compliance, but minting permissions were protected by only a 1-of-3 multisig—one private key compromised and the entire system fell.

Key Metrics

| Metric | Value |

|--------|-------|

| Fake Token Face Value | ~$13.5M (8.35M USDR + 4.5M EURR) |

| Actual Cash-Out Amount | ~$2.8M (1,115 ETH) |

| EURR Depeg Extent | -23% ($1.15 → $0.88) |

| USDR Depeg Extent | -30% ($1.00 → $0.40 low) |

| Multisig Configuration | 1-of-3 (one signature suffices) |

| Attack Duration | >3 hours (slow team response) |

Attacker Addresses

| Role | Address | Notes |

|------|---------|-------|

| Primary Attack Wallet | 0xD4677B5A8B1b97EA213Fdb876b0FcBAB3f9F6CD1 | Added as multisig owner, then executed minting |

| Secondary Wallet | 0x482aC1a69A41e7657DE6B420B7346FB09DA09115 | Replaced original compromised owner |

| Tertiary Wallet | 0xbC631Daf86611f32FAA63E7EC8c9c9571F2F5BB3 | Replaced legitimate owner |

| Compromised Owner | 0xC73fD562de86d7860EE636C20813Bcb2cF4D550d | Private key stolen |

| ZachXBT Tagged Address 1 | 0xea480c23d7b29a515856aafe0dc86f7519965a04 | Via CCTP/Noble deposit |

| ZachXBT Tagged Address 2 | 0x09BE1A36c2d7f9909eb3D6F9184c6e46A12B0ACA | Associated address |

| ZachXBT Tagged Address 3 | 0x6283558eB6948CA50A2bE942D98A41ca4d1Def40 | Associated address |

| ZachXBT Tagged Address 4 | 0xf1f70d7461356f32b97ddc2cd54a490d4363340e | Associated address |

| ZachXBT Tagged Address 5 | 0x74b4621b82eb31c5fd9fbad5729bef1813e26dcf | Associated address |

| ZachXBT Tagged Address 6 | 0x8aaa93d06bf8de94c282f66a16effe6d9d94d038 | Associated address |

| ZachXBT Tagged Address 7 | 0x5D2184d84b82B67c1818Bbec8ce81E7Df14F6bAb | Associated address |

Affected Contracts

| Contract | Address |

|----------|---------|

| USDR Token | 0x7B43E3875440B44613DC3bC08E7763e6Da63C8f8 |

| EURR Token | 0x50753CfAf86c094925Bf976f218D043f8791e408 |

| Multisig Wallet | 0xF45392bd2D6e6b8C5Dc26BA6c8a12889419B82F3 |

Key Transaction Hashes

| Transaction | Hash | Description |

|-------------|------|-------------|

| Ownership Change 1 | 0x1f8a6764f66bb5a2438dc62f89bfe52080dbca782444c3757dbf1e1ce3a11bec | Attacker replaced legitimate owner |

| Ownership Change 2 | 0xde5bc3b7b80576f894fbc7e2c8fea5f8829503bae75dcf30a27725cd95a05f16 | Attacker replaced original compromised owner |

| Minting Transaction | 0xa720...24ed | Minted USDR/EURR |

Attack Timeline (UTC)

| Time | Event |

|------|-------|

| Before 5/24 | Attacker deposited funds to wallet via CCTP/Noble |

| 5/24 Attack Start | Attacker used compromised private key to operate multisig |

| Step 1 | Added 0xD467...6CD1 as multisig new owner |

| Step 2 | Replaced legitimate owner 0xD4b6...aD40 → 0xbC63...5BB3 |

| Step 3 | Replaced compromised owner 0xC73f...550d → 0x482a...9115 |

| Step 4 | Minted 8.35M USDR + 4.5M EURR via 0xD467...6CD1 |

| Step 5 | Dumped on Uniswap and other DEXs for ETH |

| Step 6 | Used admin privileges to blacklist/burn 2.7M EURR from legitimate users |

| 3+ hours | StablR team unresponsive; ZachXBT helped freeze 6-figure funds |

| 8 hours later | Attack stopped; StablR issued statement |

Technical Analysis

Root Cause: 1-of-3 Multisig = Single Point of Failure

StablR's minting multisig was configured at 1-of-3 threshold, meaning any 1 of 3 signers could authorize transactions. This degraded the entire stablecoin system's security to a single private key.

Comparison:

Harmony Horizon Bridge (2022, $100M hack): At least 2-of-5
Industry Standard: 2-of-3 or 3-of-5 + hardware wallets + geographic distribution
StablR: 1-of-3 — weaker than a bridge hacked two years ago

Attack Method Breakdown

Key Acquisition: Attacker obtained private key of owner 0xC73f...550d (method undisclosed; possible phishing/malware/supply chain attack)

Permission Takeover: Using 1-of-3 threshold, just one signature enabled:

- Adding attacker address as new owner

- Removing legitimate owners

- Obtaining 100% multisig control

Unlimited Minting: Called mint function via compromised multisig

DEX Cash-Out: Dumped newly minted tokens on Uniswap and other DEXs; shallow liquidity pools resulted in significant discounts

Countering Legitimate Users: Used admin privileges to blacklist+burn legitimate user tokens, preventing redemption

Why Only $2.8M Cash-Out from $13.5M Face Value?

USDR/EURR DEX liquidity pools extremely shallow (EURR market cap only $14M; USDR market cap $11M)
Large dumps caused massive slippage
Depeg triggered panic selling, further deteriorating prices

Background & Impact

Who is StablR?

Malta-registered EMI (Electronic Money Institution) license holder
Uses Tether's Hadron tokenization infrastructure
Received Tether strategic investment in December 2024
Received Kraken investment in July 2025
Claims EURR/USDR trading volume exceeded €3 billion in H1 2025
MiCA compliant; reserve funds held in segregated accounts

2026 DeFi Attack Pattern Shift

According to DefiLlama data:

70%+ of 2026 large DeFi losses stem from key/management permission theft, not smart contract vulnerabilities
April single month lost $634 million across 28+ incidents, worst month on record
LayerZero bridge exploits (18%), admin key theft (16%), fake tokens (14%), private key leaks (11%)
This case belongs to the same attack pattern as Echo Protocol and Drift Protocol

Irony of European Stablecoin Regulation

Attack occurred as ECB pushed for tighter euro stablecoin liquidity rules
ECB President Lagarde just stated euro stablecoins pose potential financial stability risks
EURR accounts for only 0.24% of Ethereum fiat stablecoin total
MiCA compliance ≠ Technical Security

Pending Deep Investigation Areas

Attacker Identity Tracing: Trace KYC information at CCTP/Noble deposit source

Compromised Key Acquisition Method: Phishing/insider/supply chain?

ZachXBT's 7 Tagged Associated Addresses: Complete fund flow mapping

Burned 2.7M EURR: Whose assets were destroyed? Legal consequences?

Tether/Kraken Investor Responsibility: Did they conduct adequate technical due diligence?

Fund Freeze Progress: Was 6-figure freeze successful? Where did remaining funds go?

Data Sources

BeInCrypto - Echo Protocol Hack Autopsy
Cointelegraph - StablR EURR USDR depeg
CryptoCompass - StablR Technical Analysis
CryptoWisser - StablR Stablecoins Lose Peg
Blockonomi - ZachXBT Flags StablR Exploit
ZachXBT Telegram/X posts (May 24, 2026)
Blockaid real-time exploit detection

Investigator: Onchain Shadow

Disclaimer: This report is based on publicly available on-chain data and media reports for security research purposes only.