$4.8M in crypto stolen after Korean tax agency exposes wallet seed

Source: Bleeping Computer

Incident Summary

Someone jumped at the opportunity to steal $4.4 million in crypto assets after South Korea’s National Tax Service (NTS) publicly exposed the mnemonic recovery phrase of a seized cryptocurrency wallet.

The funds were stored in a Ledger cold wallet seized during law‑enforcement raids on 124 high‑value tax evaders, which resulted in the confiscation of digital assets worth 8.1 billion won (approximately $5.6 million). When announcing the success of the operation, the agency released photos of the Ledger device—a popular hardware wallet for crypto storage and management.

However, the images also showed a handwritten note of the wallet recovery phrase, which serves as the master key that allows restoring the assets to another device.

Images released by the South Korean tax authority
Source: mk.co.kr

The authorities failed to redact that information, allowing anyone to transfer the assets in the cold wallet. Reportedly, shortly after the press release was published, 4 million Pre‑Retogeum (PRTG) tokens—worth approximately $4.8 million at the time—were transferred out of the confiscated wallet to a new address.

“On‑chain data (Etherscan) analysis shows that the attacker first deposited a small amount of Ethereum (ETH) into the wallet to pay transaction fees (gas fees), and then meticulously transferred the 4 million PRTG tokens to their own wallet in three separate transactions,” reported Korean media.

Blockchain data analysis expert Cho Jae‑woo, a professor at Hansung University in Seoul who observed the transfer, compared the mistake to “leaving a wallet open and advertising it to the entire nation for people to take the money.” He attributed the blunder to the tax authorities’ “lack of basic understanding of virtual assets,” which effectively cost the national treasury tens of billions of won that had been successfully confiscated.

The press release has now been removed from the NTS website, and it is unclear whether authorities have launched an investigation to trace the stolen funds.

Aftermath and Recommendations

The case serves as a reminder for hardware‑wallet owners that a seed phrase gives complete access to a wallet without any additional protections. Anyone who possesses it can recreate the wallet anywhere, without the device, PIN, or the owner’s permission.

Best practices:

• Never digitize seed phrases. Avoid storing them in electronic notes, photos, email messages, cloud storage, or messaging apps.
• If a seed phrase is exposed, move all funds to a new wallet as soon as possible.
• Redact sensitive information from any public disclosures or media releases involving seized crypto assets.