They Photographed the Password in the Press Release: Why ₩4.8 Billion Vanished in 3 Minutes After Korea's Tax Authority Exposed a Seed Phrase
South Korea's National Tax Service (NTS) published a press release promoting seizures from tax delinquents that included a photo of a Ledger cold wallet with the seed phrase fully visible — resulting in the theft of approximately ₩4.8 billion (USD 4.8M) worth of PRTG tokens within minutes. The incident has raised serious questions about the government's ability to securely manage digital assets.
Why you need to read this now: The government bragged about seizing criminal proceeds — and published the vault key alongside the press release. ₩4.8 billion evaporated in just a few minutes.
TL;DR
- On February 26, 2026, South Korea's National Tax Service (NTS) announced the results of a joint crackdown targeting 124 high-value tax delinquents, releasing a photo of a seized Ledger cold wallet with the recovery seed phrase (mnemonic) fully unmasked.
- Within minutes of publication, an unknown attacker used the phrase to restore the wallet and drained 4 million PRTG (Pre-Retogeum) tokens (estimated ~USD 4.8M / ~₩6.9 billion).
- The NTS issued a formal apology and referred the case to police. Some reports indicated a partial return of the tokens, but the root cause — the government's lack of digital asset security infrastructure — has been thrust into the spotlight.
- This is South Korea's second government-linked digital asset loss, following a 2021 incident in which 22 Bitcoin held in police custody were stolen in a similar fashion.
What Happened
On February 26, 2026, the NTS publicly announced the results of a joint investigation targeting 124 high-value tax delinquents. Total digital assets seized amounted to ₩8.1 billion (~USD 5.6M). To highlight the achievement, the agency attached photos of confiscated Ledger cold wallets and related documents to the official press release.
The problem was in the photo. On a piece of paper next to the wallet, a 12–24 word mnemonic recovery phrase (seed phrase) was clearly printed without any masking.
A seed phrase is the 'master key' to a hardware wallet. Anyone with this phrase can fully restore and control the wallet from any device — no physical hardware required.
Blockchain analysts confirmed that 4 million PRTG tokens were drained in 3 transactions within moments of the press release being distributed.
Why It Happened So Fast — The Attack Mechanism
By design, hardware wallets can be fully restored on any device using only the seed phrase — no physical access to the original device is needed. The core security premise of a cold wallet is 'offline storage + private seed phrase.' The second of these two conditions was broken by a government agency's mistake.
Attack sequence:
- Press release distributed → seed phrase exposed in photo
- Attacker recognizes phrase → imports into software wallet
- 3 token transfer transactions → complete within minutes
Another factor enabling such a rapid theft was that PRTG token's low liquidity meant anomaly detection systems did not trigger immediately.
Stakeholders
| Stakeholder | Position & Impact |
|---|---|
| NTS (National Tax Service) | Directly at fault. Issued formal apology, referred case to police, announced external security audit |
| Affected Delinquents | Secondary victims — assets seized by the government were then stolen from the government |
| Attacker | Unknown. Being traced via Ethereum-based on-chain analysis |
| Crypto Industry | Incident renews scrutiny of government's understanding of digital asset security |
| Legislature | Expected to accelerate debate on legislating 'digital asset custody protocols' for government agencies |
Context & Background
This incident is not unique to South Korea. Law enforcement agencies worldwide have experienced repeated failures in seizing and storing digital assets. South Korea in particular has prior history: in 2021, 22 Bitcoin entrusted to a third party by police were stolen by hackers.
The three cardinal rules of seed phrase security are industry standard:
- Keep it private (never photograph it)
- Physical isolation (offline, fireproof and waterproof safe)
- Multi-signature (Multi-sig) or institutional custody solutions
The government's failure to follow these basics demonstrates that internal security training and processes have failed to keep pace with the rapid integration of digital assets into the regulated financial system.
Outlook
- Short-term: NTS internal and external security audits underway. Some token recovery reported, but full restitution remains uncertain.
- Medium-term: Growing likelihood of National Assembly discussions on legally mandating a 'government digital asset custody protocol.'
- Long-term: As domestic crypto spot ETFs move toward launch, setting minimum competency standards for government digital asset custody is becoming unavoidable.
✅ Key Checklist
References
- CoinDesk: South Korea probes $4.8M crypto theft after tax seizure photo
- BleepingComputer: $4.8M in crypto stolen after Korean tax agency exposes wallet seed
- The Register: South Korea's tax office apologizes for password leak
🖼️ Image Credit
- Bitcoin icon: Wikimedia Commons (Public Domain)