South Korean Tax Agency’s Crypto Blunder: $5M Stolen After Wallet Password Leak
Clueless Cops Post Seized Crypto Wallet Password. $5M Quickly Stolen
In a stunning blunder, South Korea’s National Tax Service (NTS) accidentally exposed the mnemonic seed phrase for seized cryptocurrency wallets in a public press release, leading to the theft of nearly $5 million in digital assets.[1][4][5] The incident, which unfolded on February 26, 2026, has sparked outrage over law enforcement’s mishandling of blockchain technology and highlighted the irreversible nature of crypto transactions.[1][6]
The Seizure That Backfired Spectacularly
The NTS had every reason to celebrate. On February 26, 2026, the agency announced a major crackdown on tax evasion, seizing assets worth approximately 8.1 billion Korean won ($5.6 million) from 124 high-value tax delinquents.[1][4][5] Among the haul were luxury goods, cash, and crucially, four Ledger hardware wallets—cold storage devices holding cryptocurrency offline for enhanced security.[3][5][6]
Eager to showcase their success, the NTS published a press release complete with photographs of the confiscated items. But in a critical oversight, one image captured a handwritten mnemonic recovery phrase next to a Ledger wallet belonging to a tax evader dubbed “Mr. C.”[1][5][6] This seed phrase, typically 12-24 words, serves as the “master key” to the wallet, allowing anyone with it to regain full control from anywhere in the world—no passwords or further verification needed.[2][3][5]
“This wasn’t a sophisticated hack. It was a procedural breakdown,” noted a cybersecurity analyst, emphasizing the lack of basic cryptographic review in the press release process.[2] The photos provided “vivid information to crooks,” as the NTS later admitted in its apology.[4]
The Lightning-Fast Heist
The theft happened within hours of the press release going live.[4][6] Blockchain explorers quickly lit up with activity: An unknown actor deposited a small amount of Ethereum (ETH) into the exposed wallet to cover gas fees for transactions on the Ethereum network.[1][6] They then executed three transfers, draining 4 million PRTG tokens (Pre-Retogeum)—valued at about $4.8 million at the time—to a new address under their control.[1][4][6]
PRTG, the primary asset in the wallets, represented the bulk of the seized crypto value.[1][4] No advanced exploits were required; the thief simply imported the seed phrase into standard software like Ledger Live or MetaMask.[6] This operational security failure aligns with MITRE ATT&CK techniques like exposing unsecured credentials in files (T1552.001) and using valid accounts (T1078).[6]
The press release was swiftly removed from the NTS website, but the damage was done. Blockchain’s transparency—often touted as a feature—left an indelible trail of the transfers.[4][6]
Chaotic Aftermath and Partial Recovery
News of the leak spread rapidly, prompting unexpected developments. On February 28, a man submitted a voluntary confession via South Korea’s national cybercrime reporting system, claiming he acted “out of curiosity” but had returned the coins and was reflecting.[2][3] Police arrested this first suspect on March 1, leveraging the confession and clear blockchain evidence.[2]
However, reports conflict on full recovery. Some accounts indicate the NTS used its virtual asset tracing program to track and reclaim funds initially, only for 6.9 billion won to be stolen a second time.[3] Authorities continue hunting a potential second suspect, with the National Police Agency involved in ongoing investigations.[1][2][4] Recovery remains challenging due to crypto’s decentralized, irreversible transactions—there’s no central authority to freeze or reverse them.[1][4]
The NTS issued a public apology, acknowledging the blunder stemmed from wanting to give the public “more vivid information.”[4] Critics, including a Hansung University professor, lambasted the agency for its “basic lack of understanding of virtual assets,” costing the national treasury billions in won.[1]
Why This Exposes Crypto’s Double-Edged Sword
This fiasco underscores profound risks when traditional institutions collide with blockchain tech. Mnemonic phrases are sacrosanct in crypto custody; exposing them is like posting a bank vault combination online.[2][5] Governments worldwide struggle with securing seized digital assets, as seen in past U.S. and EU cases of lost keys or hacks.[1] (Note: While search results focus on this NTS event, broader patterns emerge from expert commentary.)
For law enforcement, it signals a need for crypto-specific protocols: redaction training, cryptographic audits for media, and dedicated wallet management teams.[2][6] Tax agencies must treat seed phrases like nuclear codes, not photo props.
The blockchain’s immutability cut both ways here. It enabled the swift theft but also provided forensic clues for pursuit—public ledgers revealed deposits, transfers, and recipient addresses.[4][6] Still, without suspect cooperation or exchange KYC (Know Your Customer) data, full recovery is a long shot.
Lessons for Crypto Holders and Regulators
Everyday users should never photograph or share seed phrases, even handwritten ones—digital forensics can recover them.[5][6] Use hardware wallets, multi-sig setups, and shamir secret sharing for high-value holdings. Regulators? Invest in blockchain forensics tools and training now, before more “clueless” leaks drain public coffers.
As South Korea probes deeper, this story serves as a stark reminder: In crypto, one careless post can vaporize millions in seconds. Law enforcement’s triumph turned to embarrassment, but the blockchain’s ledger endures—potentially delivering justice if sleuths follow the trail.
(Word count: 812)
Original source: Ars Technica – Clueless cops post seized crypto wallet password. $5M quickly stolen.