South Korea’s $5M Seized-Crypto Faceplant: When a Government Press Photo Becomes a Wallet Drain

AI generated image for South Korea’s $5M Seized-Crypto Faceplant: When a Government Press Photo Becomes a Wallet Drain

South Korea’s government just delivered a painfully modern lesson in operational security: if you publish the keys, you publish the money.

In late February 2026, South Korea’s National Tax Service (NTS) celebrated a high-profile enforcement action against tax delinquents — and then (apparently) helped drain a seized crypto wallet by accidentally disclosing its recovery phrase in a press-release photo. Within hours, roughly 4 million PRTG tokens, widely reported as worth about $4.8 million (around ₩6.9 billion), were transferred out. citeturn4search0turn4search8turn4search1

The story was covered in the RSS item you provided from Ars Technica (Tech Policy). Ars is the original source for this specific feed item, and the piece is authored by Dan Goodin. (Note: Ars Technica blocks automated access from some crawlers; I could not fetch the article text directly due to a 403, so I’m relying on corroborated reporting from other outlets and Korean English-language press.) citeturn1view0turn4search1turn4search0turn4search8

What happened (and why it’s so easy to understand)

The NTS announced it had conducted enforcement actions against 124 high-value tax delinquents and seized various assets. The agency also shared photos of seized items with the media — a classic “table of confiscated goodies” picture, except this table included Ledger hardware wallets and, crucially, a visible seed phrase (also described as a mnemonic or recovery phrase). citeturn4search8turn4search1turn4search0

If you’re not deep in crypto plumbing: a seed phrase is not a “password” in the way most people mean it. It’s closer to a master key — the thing you use to recreate a wallet elsewhere and spend the funds, without needing the physical device. Publishing it is basically the digital version of tweeting the combination to the safe, the safe’s location, and the instruction manual.

According to reporting in Korea JoongAng Daily, the NTS photo “clearly displayed” the mnemonic, and anyone with it could restore the wallet in compatible software. After the press release, the seized assets moved out; the case involved 4 million PRTG tokens valued around ₩6.9 billion ($4.8 million). citeturn4search0

Blockchain analysis shared publicly by Hansung University’s Cho Jae-woo (as reported by multiple outlets) described the movement of those tokens shortly after the press release. In other words: there’s a public, timestamped trail of what happened, because blockchains are very honest about their own mistakes. citeturn4search0turn3search0

“Clueless cops” — but the agency here is the tax office

The RSS title you provided says “cops,” but much of the reporting points to the NTS (a tax agency) as the organization that published the sensitive phrase. Several outlets describe the incident as a government press release containing a visible recovery phrase, followed by the wallet being drained. citeturn4search8turn4search1turn4search0

That said, the broader scandal absolutely does involve police custody failures too, and it’s not a one-off. South Korea has faced multiple high-profile cases where seized or held crypto went missing due to custody mishandling — the kind of thing that makes every chain-of-custody trainer wake up in a cold sweat.

Why a seed phrase leak is basically unrecoverable

In normal financial systems, if a password leaks, you can reset it; if a bank transfer is fraudulent, you might reverse it; if a wire goes to the wrong place, you can at least try to freeze it before it leaves the banking system. In public blockchains, a seed phrase leak is closer to irreversible credential compromise. Once someone has the phrase, they can generate private keys and sign transactions indefinitely.

Hardware wallets like Ledger are designed to keep private keys offline, but they can’t save you if the recovery phrase is photographed, printed, emailed, or — as in this case — placed in a public press packet like it’s a nice garnish. citeturn4search8turn4search0

The numbers: big headline value, messy real-world recoverability

The headline number — about $4.8 million — is based on token valuation at the time of reporting, and multiple sources note an important caveat: the token (PRTG) may be illiquid or hard to cash out at scale, which could limit realized profits for the thief and complicate “damages” calculations. Cointelegraph’s summary (via TradingView) highlights that some analysts believed the actual damage might be negligible because of the token’s difficulty to liquidate. citeturn3search0turn4search0

Still, “it’s hard to cash out” is not a security control. It’s just the market’s way of saying: “Congratulations, your attacker may now also be stuck holding the bag.” That’s not a win; it’s a comedy genre.

Context: South Korea’s seized-crypto custody problems are piling up

This episode landed in a climate where South Korean agencies have already been criticized for poor virtual-asset custody.

Case 1: 22 seized BTC allegedly moved while in police custody

Korea JoongAng Daily reports that investigators alleged that after Gangnam Police took custody of a cold wallet holding 22 Bitcoin (seized in November 2021), the operator of Queenbee Coin used a mnemonic they already knew to restore the wallet using another program and moved the Bitcoin without authorization while it remained under police control. citeturn4search0turn2news11

Case 2: Gwangju prosecutors lose 320 BTC after suspected phishing

In another case, the Gwangju District Prosecutors’ Office reportedly lost 320 BTC worth tens of millions of dollars, with reporting pointing to a suspected phishing incident during evidence handling. Korea JoongAng Daily describes an internal investigation and notes the discovery occurred during preparations to transfer the Bitcoin to the national treasury. citeturn2search0turn2search1

Put together, these cases show the same underlying theme: agencies are treating crypto evidence as if it were a USB stick with money inside (which it kind of is) while missing the more brutal truth: control flows to whoever controls the key material, not whoever holds the plastic.

How did a press release photo get through review?

Several reports indicate the NTS later acknowledged fault and issued an apology, saying it failed to recognize sensitive information in the original photo and provided it to media without proper caution. The Register reports the agency promised to strengthen internal controls and update procedures and training around virtual assets. citeturn4search1turn4search0

From a newsroom perspective, the failure looks like a classic “comms pipeline problem”:

  • Evidence team stages items for documentation and media.
  • Comms team selects the sharpest, most legible image (because that’s their job).
  • Review process is optimized for faces, license plates, and addresses — not seed phrases.
  • Internet does what the internet does.

This is exactly why crypto custody requires specialized handling and redaction practices that assume a non-crypto reviewer won’t recognize sensitive details. If the security of your seized funds depends on “someone noticing the random string of words is catastrophic,” you have already lost.

What “good” custody should look like (and what Korea says it will do)

After these incidents, South Korea’s National Police Agency has publicly discussed strengthening management systems for seized virtual assets. Korea JoongAng Daily describes measures including assigning two officials with joint responsibility, splitting control of recovery phrases and passwords, and conducting periodic balance checks. The article also notes plans to entrust confiscated cryptocurrency to specialized custodial firms within the year. citeturn4search0

Those steps map well to widely understood security principles:

  • Separation of duties: one person shouldn’t be able to move funds unilaterally.
  • Key ceremony + sealed storage: formal processes for generating and storing key material.
  • Auditable access: documented, monitored, and logged actions.
  • Balance monitoring: checking on-chain balances (without exposing keys) to detect tampering early.

Importantly, “use a custodian” doesn’t automatically solve the problem; it shifts risk. A private custodian adds professional key management, but also introduces vendor risk, contractual complexity, and questions about jurisdiction and liability. Still, the alternative — a plastic wallet in an evidence locker with a seed phrase floating around on paper — is proving itself to be… not ideal.

Lessons for every organization holding crypto (yes, even if you hate crypto)

Not every reader is here because they love tokens. Some are here because they run security programs and saw “government leaked seed phrase” and felt their soul leave their body for a second.

Here are the practical takeaways that generalize beyond this incident:

1) Treat seed phrases like root keys — because they are

If your organization ever handles hardware wallets (for investigations, compliance, incident response, or even corporate treasury), you need written policies that treat recovery phrases as Tier-0 secrets. They must never appear in photos, screen shares, tickets, slide decks, or vendor emails.

2) Redaction needs crypto-aware checklists

Most comms and legal redaction pipelines know to blur faces, addresses, and ID numbers. Add “seed phrases,” “private keys,” “QR codes,” “backup cards,” and “2FA recovery codes” to the checklist. This is not a theoretical concern anymore. citeturn4search8turn4search0

3) Physical custody is not key custody

The Gangnam case illustrates the mistake of believing that holding the device equals holding the assets. If the suspect (or a third party) also knows the recovery phrase, the funds can move from anywhere. citeturn4search0turn2news11

4) Audits must verify on-chain balances, not just device presence

As described in reporting around the Gwangju prosecutors case, simply checking that the USB-like device is still in a cabinet doesn’t prove the crypto is still there. Effective audits verify addresses and balances, with procedures that do not expose keys. citeturn2search1turn2search0

Why this matters beyond embarrassment

It’s tempting to file this under “funny crypto fails,” right next to exchange fat-finger stories and accidental burns. But this has serious consequences:

  • Public trust: Citizens expect seized assets to remain intact and properly handled.
  • Legal exposure: When government-held assets vanish, accountability questions follow fast.
  • Operational precedent: Crypto seizures are becoming routine; mishandling can’t be routine too.
  • Criminal incentives: If attackers learn government wallets are easy targets, they’ll keep looking.

Also, it undercuts a recurring narrative: that crypto’s risks are mostly a retail problem. Here, the failure mode is institutional — a reminder that the hardest part of security is rarely the cryptography. It’s the humans, the processes, and the photo attachments.

So what happens next?

According to Korean English-language reporting, police were investigating unauthorized transfers linked to the NTS disclosure, and there was at least one claim (received by the National Police Agency) from someone who said they accessed the crypto “out of curiosity” and returned assets the next day — a claim police planned to verify via transaction records. citeturn4search0turn0search0

That detail is fascinating because it highlights a uniquely blockchain-shaped dynamic: sometimes stolen funds are hard to launder, easy to track, or (in thin markets) difficult to liquidate. But again, that’s not a substitute for custody. It’s just a reason that this particular episode might end with less realized loss than the headline implies — while still being a five-alarm institutional security failure.

Sources

Bas Dorland, Technology Journalist & Founder of dorland.org