What Happened
On May 24, EURR and USDR — euro and USD stablecoins issued by StablR — lost their pegs. Security monitoring firm Blockaid, as cited in Cointelegraph’s report, indicated the suspected cause was a private key compromise affecting one signer in the minting multisig, with the attack amounting to approximately $2.8 million. As of publication, StablR has not released a full post-incident review; on-chain details regarding the minting address are sourced from Cointelegraph and Blockaid’s reporting.
Worth noting: this is an issuer-level multisig security incident, not a collapse of the stablecoin mechanism itself (unlike the structural depeg seen with algorithmic stablecoin UST). While the $2.8 million scale is relatively small, the event involves a euro stablecoin issuer operating under the MiCAR regulatory framework — European regulatory responses are worth tracking over the longer term.
Editorial Take: Practical Impact on USDT Card Users
Bottom line up front — the vast majority of USDT virtual card users are unaffected. USDT, USDC, PYUSD, and other mainstream stablecoins are entirely independent of StablR’s minting infrastructure. Here is a breakdown by card:
- Users holding MPCard: MPCard’s Asia Elite variant runs on USDT as its primary chain, with no asset exposure to StablR. No action needed.
- Users holding Bybit Card / Crypto.com Visa / Coinbase Card: These cards primarily use USDT/USDC for top-ups and are equally unaffected.
- Users holding Wirex or other multi-stablecoin cards: If your balance does not include EURR or USDR, there is no impact. If it does, consider pausing spending activity and waiting for an official StablR announcement before deciding whether to convert back to mainstream stablecoins.
Expected timeline to watch:
- Within 7 days: Watch whether StablR publishes a complete security disclosure (attacker address, fund recovery progress, whether a circuit-breaker has been triggered).
- Within 30 days: Watch whether EURR/USDR re-pegs 1:1 and whether any exchanges suspend trading pairs.
- Within 90 days: Watch whether European regulators (particularly in MiCAR-registered jurisdictions) issue new compliance requirements for issuer key management — this could affect the compliance costs of future euro card BINs.
Historical Context: Three Types of Depeg Are Not the Same
Placing this event on the depeg timeline makes things clearer:
- May 2022 UST collapse: Algorithmic stablecoin death spiral — a mechanism failure unrelated to collateral or custody. Today’s StablR event is not this type.
- March 2023 USDC brief depeg: Circle had $3.3 billion in reserves at SVB; the price fell to approximately $0.87 before recovering within 72 hours following the SVB rescue. This was a reserve asset risk, distinct from StablR’s private key risk.
- Various small-scale stablecoin security incidents in 2025: Same category as today’s StablR event — issuer key management failure, small scale, mechanism itself intact.
This event most closely resembles the third type. The mechanism is intact, the reserves are intact — but there are limits to an issuer’s operational security. This is precisely why MiCAR and Hong Kong’s stablecoin regulations are pushing issuers toward reserve segregation and key management audits.
Regulatory and Compliance Perspective
StablR is one of the few euro stablecoin issuers operating under the MiCAR framework. Since MiCAR came into effect for stablecoins in June 2024, it has imposed clear requirements on issuers regarding reserve audits, whitelisted trading venues, and KYC — however, no mandatory technical standards for minting private keys or multisig arrangements are specified at the rule-text level. That is precisely the grey area exposed today.
For EU residents choosing a USDT card, refer to the EU compliance guide and card recommendations for EU residents. Regulators may issue supplementary guidance on issuer private key governance within the next 3–6 months, which could affect all BINs issued within the EU — but this would not retroactively affect cards already issued.
Asia-Pacific users can continue to reference local compliance frameworks in Japan, Hong Kong, and Singapore. Those jurisdictions currently have no direct connection to the StablR incident.
Key Milestones Worth Watching
- StablR official announcement: Whether a full post-incident report (PIR) is published, specifically identifying the compromised multisig role and confirming whether all signing addresses have been rotated.
- EURR/USDR re-peg curve: Using USDC’s 72-hour recovery in 2023 as a reference, failure to re-peg within 7 days would signal meaningful damage to issuer trust.
- European regulatory response: Whether the European Banking Authority (EBA) or ESMA issues a public statement.
- Changes to the MiCAR registration list: Whether StablR retains its issuance authorization — as of publication, there is no official change notice; please refer to the official ESMA database for current status.
Editorial Recommendations
Match the guidance to your card and stablecoin holdings:
- Users holding USDT-primary virtual cards such as MPCard, Bybit Card, or Coinbase Card: No action required. Your assets are entirely independent of StablR.
- Users spending with euro stablecoins: First confirm whether your balance includes EURR or USDR. If it does, pause large transactions and wait for an official StablR announcement before making any decisions. If you are planning to apply for a euro card, see card recommendations for EU residents and prioritize products backed by mainstream USDT, USDC, or EURC.
- Users planning to apply for a new euro card in the near term: Consider waiting 30 days to see whether regulators issue supplementary guidance on issuer private key governance — this may influence which new BINs are worth choosing.
- Multi-stablecoin holders: Concentrating EUR stablecoin exposure with a single small issuer is the central lesson of this incident. Spreading holdings across 2–3 issuers and maintaining a portion in USDT is a more resilient approach.