How Are We Supposed to Use Crypto Now If It Keeps Getting Hacked?

Today, a major exploit hit the smart contracts that issue the USDR and EURR stablecoins. The attacker was able to mint 16.76 million USDR and 9.11 million EURR out of thin air, and then swap a portion of these unbacked tokens for other crypto assets.

Have you noticed that hacks of this scale have started to feel routine? I follow crypto news every day, and I'll be honest with you: my eyes just skim past yet another headline about a multi-million-dollar exploit. As if there's nothing remarkable about it anymore!

And yet, behind every one of these hacks are real troubles faced by ordinary people who use blockchains and cryptocurrencies as their primary way to store and manage their savings.

Today, just as the attack on StablR (the issuer of USDR and EURR) was unfolding and the prices of both tokens were starting to slide, rabbit.io received a request to swap 2,000 USDR for USDT. Our automated system ran all the checks: the customer's address had no connection to the exploit, they had been holding USDR for nearly a year, and this swap request almost certainly meant someone trying to rescue their savings. We processed the swap at the rate available at that moment, and the customer lost only a little over 1% - even though within minutes the USDR price dropped by 25%, and later, amid the panic, fell to almost $0.40.

But when, a few hours later, the same customer submitted a request to swap another 50,000 USDR, we could no longer offer them a swap without significant losses.

What Actually Happened

At 01:46 UTC today, ZachXBT's investigations channel on Telegram posted a message about a potential exploit of StablR's smart contracts amounting to roughly $10 million.

It later emerged that the hackers had obtained the private key of one of the owners of StablR's multisig address responsible for minting new tokens. The problem was made far worse by an extremely low security threshold: out of the three available private keys, just one was enough to authorize any operation. In other words, this wasn't really a multisig at all. The whole point of a multisig is that several signatures are required to execute an operation. Here, not only was one signature enough — any single one would do. A "multisig" like that doesn't increase the security of the address; it actually reduces it threefold. The hackers used the compromised key to mint millions of USDR and EURR tokens out of nothing.

In Europe, where the StablR team is presumably based, it was the middle of the night between Saturday and Sunday, so the attack continued for several hours. The last 900,000 unauthorized EURR tokens hit the network at 4:03 UTC.

As the supply of both tokens increased dramatically — and, of course, immediately hit the market — the prices of USDR and EURR fell sharply and have not yet recovered.

What Are These Tokens, and Who Uses Them?

USDR (StablR USD) is a fiat-backed stablecoin pegged 1:1 to the US dollar, running on the Ethereum network. It's issued by the European fintech company StablR, which is registered as an Electronic Money Institution (EMI) and regulated by the Malta Financial Services Authority (MFSA), with additional offices in the Netherlands. EURR is the same company's euro-pegged stablecoin.

In late 2024, StablR received an investment from Tether (the issuer of USDT), which was clearly hoping in this way to maintain a foothold in the European crypto market after the MiCA regulation took effect — rules that effectively make it impossible for European-registered companies to use USDT.

Let me say a bit more about USDR, the token our customer was holding. Compared to giants like USDT and USDC, which move tens of billions of dollars, USDR is a tiny project. After last night's mint of 16.76 million unbacked tokens, the total USDR supply in circulation, according to Etherscan, stands at 21,076,437. Which means that before today's hack, its market cap was under $5 million.

So why would anyone choose it over USDT or USDC? The reason is that StablR designed its tokens specifically for MiCA compliance. They are completely transparent from a legal standpoint:

• The fiat backing is held in segregated accounts at regulated European banks.
• They undergo regular audits by major auditing firms (for example, Grant Thornton).

In all likelihood, our customer — who held at least 52,000 USDR — was either an EU resident or someone operating within the European legal framework. For them, it was important to use not USDT, but a "clean," provably legal, regulator-approved asset, in order to avoid problems with taxes or banks.

And today, because of StablR's technical security failure, that very same user made the decision to urgently move their holdings into USDT — a token that offers them neither legal nor operational certainty in Europe. And lost a significant amount of money in the process. Neither the licenses nor the financial audits of the issuer were enough to protect our customer from losses.

So What Do We Do If Even These Crypto Assets Turn Out to Be Unreliable?

I've long been writing about how governments and the banks they regulate are actively pushing people out of the traditional financial system and toward storing their savings on blockchains, where no one can confiscate them.

But the constant stream of hacks we've seen in recent months shows just how risky that kind of storage can be. I wouldn't be surprised if many crypto users start wondering whether it's time to move their savings back into banks. Banks can censor your transfers and payments, refuse to give you cash — but at least they don't get robbed nearly as often as crypto projects do.

The technical side of almost every crypto service is fully open source. And now that vulnerability research is being carried out around the clock by AI models that keep getting smarter, we should expect this wave of exploits to continue and even accelerate. Anything that can be hacked, will be hacked.

Does this mean it's time to abandon cryptocurrencies altogether? No. But I think it makes sense, at least temporarily, to scale back our involvement in schemes that wrap corporate layers around crypto. Those are exactly the ones that get hacked, not the cryptocurrencies themselves. Bitcoin's base protocol has not been hacked once in 17 years — simply because its architecture physically contains no privileged owners, no minting buttons, and no admin keys that a hacker could steal from a sleeping team.

The further an asset drifts away from pure, decentralized math and toward human control, the more vulnerable it becomes. That's why even Ethereum, with the centralized influence of the Ethereum Foundation rewriting the rules at every hard fork, can't serve as a benchmark for reliability. Truly secure storage exists only where there is no entity with the authority to change the rules in its own favor.

I think everyone who uses cryptocurrencies knows this. And yet, for everyday storage and ordinary transactions, very few people use cryptocurrencies like bitcoin. As long as prices are quoted in fiat currencies, everyone wants the balance in their wallet to be fixed in fiat terms as well — so that tomorrow it does not come as a surprise that they have 10–15% less money than they had today.

So what should an ordinary user do, if they still need the familiar stability of the dollar? Honestly, I don't have a good answer to that. Our customer made his choice today: realizing the danger of USDR, they decided to move their funds into USDT. USDT has been around for more than ten years. Yes, its issuer could rewrite the rules at any moment, but in all those years, no one has yet found a way to exploit that possibility.

And what's strangest of all is that even when hundreds of millions of completely unbacked USDT were circulating on the market, it did not affect the token’s price. No one asks questions when Tether releases another billion USDT into the market. If all holders know they cannot go to the issuer anyway and demand dollars in exchange for their tokens, then what difference does it make whether those tokens are backed? USDT rests on the belief that, no matter what happens, there will always be someone in the crypto market willing to give assets worth 1 USD for 1 USDT. I can imagine that this belief could survive any hack.

Younger stablecoins simply haven't accumulated enough believers yet to build the same kind of aura of reliability around themselves.

So, paradoxically, choosing a stablecoin that is maximally centralized and hasn't been through a single serious audit may turn out to be a perfectly rational decision.

The other option is stablecoins like Liquity USD, crvUSD, and DAI. By design, their contracts cannot be changed, and there is no centralized issuer who could falsify the collateral or refuse to give it back to you. Their smart contracts haven't been hacked yet. That said, this doesn't mean that AI models — with their current computing power and knowledge — couldn't, in principle, find a way to break them.

That's why I still believe that fiat-pegged crypto assets can only be a temporary solution, suitable for everyday spending. For actual storage of wealth, there's only Bitcoin and cryptocurrencies like it.