Skip to main content

South Korea's $4.8M OpSec Catastrophe: How the National Tax Service Photographed Its Own Seed Phrase and Got Robbed Twice in 48 Hours

· 12 min read
Dora Noda
Dora Noda
Software Engineer

Imagine raiding a tax evader's apartment, seizing four hardware wallets, and then publishing a triumphant press release showing the recovered evidence — with the wallet's seed phrase clearly visible in the photo. Now imagine a thief drains the wallet within hours, returns the tokens as a warning, and a second thief steals them again before your agency can react.

That is not a crypto Twitter thought experiment. That is exactly what happened to South Korea's National Tax Service (NTS) in late February 2026 — a blunder that cost the government roughly $4.8 million in seized Pre-Retogeum (PRTG) tokens and exposed how unprepared most state agencies are to hold digital assets they increasingly confiscate.

The Photo That Ate $4.8 Million

The sequence of events is almost comically bad. On February 26, 2026, NTS agents raided the home of a taxpayer who owed unpaid capital gains tax. According to CoinDesk, agents seized at least four hardware wallets and an undisclosed amount of cash. Standard procedure so far.

Then came the press release. To publicize the operation, the NTS staged a photograph of the recovered items — Ledger hardware wallets arranged alongside the backup paper cards containing their mnemonic recovery phrases. The image was published to official channels unredacted. The 12- or 24-word mnemonic was legible to anyone with a screenshot tool and patience.

Within hours, according to The Block, an observer had reconstructed the seed, imported the wallet, and began emptying it. The attacker first sent a tiny amount of ETH to cover gas, then drained 4 million PRTG tokens — worth about $4.8 million at the time — across three transactions to a fresh address.

As blockchain analyst Cho Jae-woo told Korean press, the incident was equivalent to "leaving a wallet open and advertising it to the entire nation."

The Double Theft That Made It Worse

The story did not end with the first thief. It got weirder.

On February 28, the initial attacker reportedly contacted Korean police, claimed he had acted as a white hat, and returned the entire 4 million PRTG balance to the original NTS-controlled wallet. A diligent citizen move — except the NTS had not rotated the seed phrase, revoked the exposed credentials, or moved the wallet. The seed that had leaked 48 hours earlier was still the active key.

Two hours after the return, a second attacker — one who had apparently been watching the same exposed mnemonic — swept the wallet again and pushed the full balance into an address already flagged for "fake phishing" activity by blockchain explorers. This time, nobody was returning anything.

Two thefts. Same wallet. Same seed phrase. Different attackers. Less than 48 hours apart.

The second drain eliminated any remaining ambiguity about what went wrong: the NTS had treated a compromised wallet as if it were still secure, because its custody playbook did not contemplate what to do when a seed phrase becomes public.

Why This Is a Governance Problem, Not Just a Training Problem

It would be easy to frame this as a single agency's embarrassing mistake — a rookie error by tax agents who had never used a hardware wallet. But that framing misses the structural issue. Governments around the world are sitting on enormous and growing stockpiles of confiscated cryptocurrency, and most of them handle it with the operational maturity of a hobbyist.

Consider the precedents:

  • Germany, in July 2024, sold 50,000 BTC seized from the Movie2K piracy site at an average $57,600 per coin — total proceeds of about $2.88 billion. Bitcoin subsequently doubled, meaning the same stack would have been worth over $5.5 billion by year-end. A governance decision about when to sell ran up a paper loss larger than many national crypto seizures.
  • The US Marshals Service, in a 2025 audit, could not tell the DOJ Inspector General exactly how much crypto it held. It has since split the custody mandate — Coinbase for large-cap Class 1 assets, CMDSS for the messier Class 2–4 altcoins.
  • South Korea is drafting the Digital Asset Basic Act to allow corporations to allocate up to 5% of equity capital into the top 20 cryptocurrencies. The same government cannot secure a confiscated Ledger.

The pattern is consistent across jurisdictions: the enforcement capability to seize crypto has outrun the institutional capability to custody, account for, and ultimately dispose of it. Korea's seed-phrase photograph is the most visual example, but it is not the most expensive.

The Custody Stack Governments Should Already Be Using

None of this is unsolved in the private sector. Institutional digital asset custody is a mature product category with several robust architectures. The fact that the NTS kept seized coins on a raw hardware wallet — with a paper seed that anyone in the evidence room could see — reflects a choice to treat crypto like paper cash rather than like a bearer instrument requiring cryptographic custody.

The minimum stack for government-held digital assets in 2026 looks something like this:

  1. Multi-party computation (MPC) wallets. Providers like Fireblocks split a private key into shares distributed across multiple parties and hardware modules. No single agent ever holds the full key; no single photograph can expose it. An industry comparison by Ridgeway Financial Services walks through the architectural tradeoffs among DFNS, Fireblocks, and Anchorage.
  2. Qualified custodians with bank charters. Anchorage Digital holds the only OCC federal bank charter in crypto and already serves BlackRock and PayPal. For a tax authority, the right model is probably to contract a qualified custodian rather than to build custody in-house — just as most governments do not print their own paper money.
  3. HSM-backed cold storage for long-term holdings. Hardware security modules meeting FIPS 140-2 Level 3 keep keys inside tamper-resistant silicon. Keys can be used for signing without ever being exported to a human-visible medium.
  4. Chain-of-custody and transfer policy software. Institutional-grade platforms enforce multi-signer approvals, withdrawal allowlists, and audit logs. A post-seizure "rotate keys and transfer to a fresh custodial address" workflow would be a mandatory first step, not an afterthought.
  5. Standard operating procedures for public communications. The most expensive failure was not cryptographic. It was the decision by a communications team to publish an un-vetted photograph. Any mature custody regime treats seed phrases as classified material on par with cryptographic keys protecting government communications.

The NTS has committed to all of this retroactively. South Korea's Deputy Prime Minister and Minister of Finance Koo Yun-cheol confirmed the leak publicly and announced an inter-agency investigation involving the Financial Services Commission and Financial Supervisory Service. The tax agency says it will conduct an external security review and rewrite its manual for the full seizure-to-sale lifecycle. Cointelegraph reports that the NTS is actively exploring handing custody of seized crypto to private specialists.

That is the right direction. It also should have been the policy before the photograph, not after.

The Uncomfortable Precedent for Regulated Investors

There is a second-order story here that will matter more than the $4.8 million loss itself.

South Korea's Digital Asset Basic Act is designed to bring corporate treasuries and professional investors onto regulated rails. The framework depends on a simple premise: the state is a competent steward of digital assets and can credibly supervise the stewardship of others. Every news cycle in which a government agency demonstrates it cannot keep a seed phrase off a press release photo erodes that premise.

You can see the contradiction clearly when you line up the calendar. The FSC and Bank of Korea have spent months fighting over whether stablecoin issuers must be majority bank-owned. The proposed 5% corporate allocation rule is being debated in the context of which assets qualify, which custodians are approved, and what reserve ratios apply. Meanwhile, a separate arm of the same government is shipping wallets to court with the combination written on the outside of the briefcase.

For the institutional investors the Digital Asset Basic Act is trying to attract, the signal is clear: regulated on-chain rails are coming, but the regulators themselves still need to ingest the last decade of self-custody lessons. That delta will take time to close.

Operational Lessons Every Builder Should Copy

For protocol teams, custodial exchanges, and anyone else who might one day interact with law-enforcement custody — either to recover stolen funds or to respond to a legitimate seizure — the Korean incident is a case study worth memorizing.

  • Treat any key as potentially compromised the moment it leaves your operational boundary. The NTS's second loss was entirely preventable. Upon taking custody of a hardware wallet, the correct move is to immediately sweep the balance to a freshly generated, agency-controlled address. The seized wallet should never be used again, whether or not its seed was exposed.
  • Assume seed phrases leak and design for that assumption. Passphrase-protected "hidden" wallets (often called the 25th word) are cheap to implement and render an isolated seed phrase useless. Duress wallets go a step further for physical-threat scenarios.
  • Separate evidence photography from key material. Hardware wallets can be photographed without their backup cards. Backup cards can be logged via serial number or hash commitment without publishing the underlying words. Standard evidence workflows already do this for things like unique identifiers on firearms — crypto deserves the same discipline.
  • Log everything in multi-party systems. Multi-sig or MPC architectures force at least two humans to be involved in a withdrawal, which is the single highest-ROI defense against insider and single-point errors alike.

BlockEden.xyz operates enterprise-grade RPC and indexing infrastructure across 20+ chains, including the on-chain data pipelines used by compliance and forensics teams. If you are building custody, monitoring, or recovery tooling for institutional or government clients, explore our API marketplace for reliable multi-chain data that holds up under audit.

What Comes Next

South Korea's tax office will emerge from this embarrassment with a better playbook. So, probably, will the NTS's peers in other jurisdictions that watched the story unfold in real time. Expect quiet procurement announcements over the next year as national tax agencies, police services, and prosecutors onboard qualified custodians and MPC platforms rather than handling hardware wallets themselves.

But the deeper story is that the era of governments as passive observers of crypto is ending. They are becoming active custodians, auction houses, and — increasingly — regulators of the same infrastructure their own agencies use. Every public mistake like the Ledger photograph narrows the gap between public sector operational maturity and the standards the private sector has been iterating on since 2013.

The $4.8 million PRTG loss will not be the last example. It will, with any luck, be among the most instructive.

Sources

Share on Twitter