In its May 26 nightly briefing, Korean outlet Tokenpost cited a PANews report claiming that a self-described “European stablecoin issuer” called Stable.al suffered the theft of one private key from a 1-of-3 Ethereum multisig wallet. The attacker allegedly gained admin access, removed the original signers, and overminted approximately 8.35 million USDR and 4.5 million EURR — a combined nominal value of roughly $13.5 million, of which approximately $2.8 million was reportedly cashed out. According to the report, USDR briefly depegged before recovering to around $0.994, while EURR fell as low as $0.548. Both tokens reportedly no longer satisfy MiCA’s 1:1 reserve requirement as a result.
Important caveat: As of publication, we have been unable to independently verify Stable.al’s issuer identity, the contract addresses for either token, the overmint transaction hashes, or the specific cash-out route through any major on-chain analytics platform (Etherscan labels, Arkham, public Chainalysis alerts) or mainstream English-language crypto media (CoinDesk, The Block, DL News). The permanent link to PANews’s original Chinese report was not included in the briefing. The discussion below uses a conditional framework — “assuming the report is factually accurate” — to examine potential implications for USDT virtual card users. Until the facts are established, readers should not treat any “action guidance” here as definitive instructions.
If True, What Does This Mean for USDT Card Users?
The short answer: virtually no direct impact for the vast majority of USDT virtual card users.
The reason is straightforward — USDR and EURR do not appear in the supported top-up currency lists of any major card issuer. We checked the official top-up lists for our editorially selected MPCard, Wirex, Crypto.com Visa, Bybit Card, and OKX Card: neither token appears on any of them. They are not mainstream stablecoins like USDT, USDC, or DAI, nor are they euro stablecoins like EURC, EURS, or agEUR that have been integrated by multiple European card issuers.
In other words, even if this incident is 100% confirmed, the balance, spending, and withdrawal chain of users who top up with USDT and spend via Visa/Mastercard does not pass through USDR or EURR — so no action is needed. The risk worth monitoring is a second-order effect: if European regulators use this incident as an opportunity to accelerate on-site inspections of MiCA “EMT” (Electronic Money Token) issuers, card issuers that settle in euros or serve residents within the EEA could face more frequent compliance inquiries within 30–90 days, which in turn may slow new account approvals.
Historical Comparison: Overminting vs. Reserve Insolvency vs. Private Key Theft
Placing this report in the context of the stablecoin incident spectrum, the type distinction matters:
- March 2023 USDC depeg: Caused by $3.3 billion in reserves held at Silicon Valley Bank during its seizure. A “reserve custodian risk” event — unrelated to hacking; Circle’s reserve accounting itself was real.
- May 2022 UST collapse: Caused by an algorithmic stablecoin death spiral, with no 1:1 reserves existing in the first place.
- August 2021 Poly Network $610M theft: A cross-chain bridge contract permission exploit, unrelated to the stablecoin issuance mechanism itself.
- This incident (if confirmed): A private key leak at the operational infrastructure layer of the issuer, causing on-chain book supply to diverge from actual reserves — i.e., an attacker “printed” tokens not backed by reserves. This is precisely the risk type that MiCA Article 36’s “1:1 reserve + segregation + redeemability” framework is designed to prevent.
Different incident types produce different regulatory responses. The USDC incident led to pressure for reserve diversification (reducing reliance on a single bank). The UST collapse effectively expelled algorithmic stablecoins from regulated card channels. If the Stable.al incident is independently verified, the most likely regulatory response would be strengthened operational audits of smaller MiCA-licensed issuers, including multisig threshold requirements, mandatory HSM use, and caps on single-signer authority.
Compliance Boundaries Under the MiCA Framework
The EUR-Lex official text confirms that MiCA’s chapters on EMTs (Electronic Money Tokens) and ARTs (Asset-Referenced Tokens) took effect on June 30, 2024, and the CASP (Crypto-Asset Service Provider) chapter took effect on December 30, 2024. Both dates are independently verifiable public facts.
Applied to the scenario in this report:
- Clearly prohibited: EMT issuers under MiCA must maintain 1:1 reserves. If on-chain circulating supply exceeds actual reserves, the issuer is in clear violation, and regulators have the authority to require suspension of issuance and redemption.
- Grey area: Whether Stable.al genuinely holds a MiCA EMT license, and whether its claimed “European issuer” status has been authorized by any member state competent authority — neither question has independent evidence in the materials we can access. When following our EU compliance page, keep in mind that many projects claiming to be “MiCA compliant” are simply incorporated in the EU without having passed EMT license approval.
Key Developments Worth Watching
- Official issuer statement: Whether Stable.al’s website and X/Twitter account publish an incident disclosure with on-chain addresses and the stolen transaction hash. If no mainstream English-language media follows up within a week, the nature of the event itself is in question.
- On-chain verification: Whether the ERC-20 contract addresses for USDR and EURR can be found on Etherscan, who deployed them, and whether abnormal mint spikes appear in the past 30 days.
- EU regulatory response: Whether the European Banking Authority (EBA) or a member state NCA (such as France’s AMF, Germany’s BaFin, or the Central Bank of Ireland) issues guidance or enforcement on multisig custody requirements for EMT issuers within 4–6 weeks.
- Whether mainstream stablecoins are affected: Whether the supply curves of EURC (Circle), EURS (STASIS), and agEUR (Angle) show abnormal redemption during the fallout period. A rapid supply decline of more than 1% would suggest markets are treating this as a systemic signal; the absence of such a move would indicate this is an isolated small-project incident.
Editorial Guidance
- Users holding mainstream USDT cards such as MPCard, Wirex, and Crypto.com Visa: No action needed. Your underlying balance is USDT (Tether); your top-up and spending chain does not pass through USDR or EURR.
- Users currently using euro stablecoins (EURC/EURS/agEUR) for European subscriptions or local spending: Simply monitor your card issuer’s announcement channels over the next 30 days. There is no need to switch underlying assets at this time. For details on European card issuers’ specific compliance positions, see our EU compliance and Best Cards for EU Residents pages.
- Users planning to apply for a European locally-issued card: No need to delay because of this, but we recommend prioritizing issuers with publicly verifiable MiCA EMT license information over small projects that merely claim compliance.
- Regarding this news story itself: Until the PANews original article link, on-chain transaction hashes, and an official Stable.al statement all appear, treat this as a report pending verification, not an established fact. We will publish a dedicated follow-up once mainstream English-language media covers the story or on-chain evidence emerges.
For questions about stablecoin fundamentals, see What Is a USDT Card for an explanation of how the USDT card funding chain relates to stablecoin selection.