USDT live
Supply 112.4B +0.8%
Tron share 53.2%
ETH share 38.4%
TRC20 gas $0.95 -2.1%
ERC20 gas $4.20
24h volume $48.2B
English · 中文

Stable.al Accused of Multisig Key Theft and USDR/EURR Suspension: How to Read This Story When Primary Sources Are Incomplete

2026-05-27

In its May 26 nightly briefing, Korean outlet Tokenpost cited a PANews report claiming that a self-described “European stablecoin issuer” called Stable.al suffered the theft of one private key from a 1-of-3 Ethereum multisig wallet. The attacker allegedly gained admin access, removed the original signers, and overminted approximately 8.35 million USDR and 4.5 million EURR — a combined nominal value of roughly $13.5 million, of which approximately $2.8 million was reportedly cashed out. According to the report, USDR briefly depegged before recovering to around $0.994, while EURR fell as low as $0.548. Both tokens reportedly no longer satisfy MiCA’s 1:1 reserve requirement as a result.

Important caveat: As of publication, we have been unable to independently verify Stable.al’s issuer identity, the contract addresses for either token, the overmint transaction hashes, or the specific cash-out route through any major on-chain analytics platform (Etherscan labels, Arkham, public Chainalysis alerts) or mainstream English-language crypto media (CoinDesk, The Block, DL News). The permanent link to PANews’s original Chinese report was not included in the briefing. The discussion below uses a conditional framework — “assuming the report is factually accurate” — to examine potential implications for USDT virtual card users. Until the facts are established, readers should not treat any “action guidance” here as definitive instructions.

If True, What Does This Mean for USDT Card Users?

The short answer: virtually no direct impact for the vast majority of USDT virtual card users.

The reason is straightforward — USDR and EURR do not appear in the supported top-up currency lists of any major card issuer. We checked the official top-up lists for our editorially selected MPCard, Wirex, Crypto.com Visa, Bybit Card, and OKX Card: neither token appears on any of them. They are not mainstream stablecoins like USDT, USDC, or DAI, nor are they euro stablecoins like EURC, EURS, or agEUR that have been integrated by multiple European card issuers.

In other words, even if this incident is 100% confirmed, the balance, spending, and withdrawal chain of users who top up with USDT and spend via Visa/Mastercard does not pass through USDR or EURR — so no action is needed. The risk worth monitoring is a second-order effect: if European regulators use this incident as an opportunity to accelerate on-site inspections of MiCA “EMT” (Electronic Money Token) issuers, card issuers that settle in euros or serve residents within the EEA could face more frequent compliance inquiries within 30–90 days, which in turn may slow new account approvals.

Historical Comparison: Overminting vs. Reserve Insolvency vs. Private Key Theft

Placing this report in the context of the stablecoin incident spectrum, the type distinction matters:

Different incident types produce different regulatory responses. The USDC incident led to pressure for reserve diversification (reducing reliance on a single bank). The UST collapse effectively expelled algorithmic stablecoins from regulated card channels. If the Stable.al incident is independently verified, the most likely regulatory response would be strengthened operational audits of smaller MiCA-licensed issuers, including multisig threshold requirements, mandatory HSM use, and caps on single-signer authority.

Compliance Boundaries Under the MiCA Framework

The EUR-Lex official text confirms that MiCA’s chapters on EMTs (Electronic Money Tokens) and ARTs (Asset-Referenced Tokens) took effect on June 30, 2024, and the CASP (Crypto-Asset Service Provider) chapter took effect on December 30, 2024. Both dates are independently verifiable public facts.

Applied to the scenario in this report:

Key Developments Worth Watching

  1. Official issuer statement: Whether Stable.al’s website and X/Twitter account publish an incident disclosure with on-chain addresses and the stolen transaction hash. If no mainstream English-language media follows up within a week, the nature of the event itself is in question.
  2. On-chain verification: Whether the ERC-20 contract addresses for USDR and EURR can be found on Etherscan, who deployed them, and whether abnormal mint spikes appear in the past 30 days.
  3. EU regulatory response: Whether the European Banking Authority (EBA) or a member state NCA (such as France’s AMF, Germany’s BaFin, or the Central Bank of Ireland) issues guidance or enforcement on multisig custody requirements for EMT issuers within 4–6 weeks.
  4. Whether mainstream stablecoins are affected: Whether the supply curves of EURC (Circle), EURS (STASIS), and agEUR (Angle) show abnormal redemption during the fallout period. A rapid supply decline of more than 1% would suggest markets are treating this as a systemic signal; the absence of such a move would indicate this is an isolated small-project incident.

Editorial Guidance

For questions about stablecoin fundamentals, see What Is a USDT Card for an explanation of how the USDT card funding chain relates to stablecoin selection.