- South Korea’s tax agency exposed a crypto seed phrase in public promotional photos, leading to a massive theft.
- An unknown actor stole $4.8 million in PRTG tokens within hours of the sensitive information being published.
- Authorities arrested one suspect who confessed, while a second individual remains at large following the security lapse.
(SOUTH KOREA) — South Korea’s National Tax Service investigated a theft of approximately $4.8 million in cryptocurrency after it accidentally exposed a seed phrase for a seized Ledger hardware wallet in photos it released to publicize a tax enforcement haul.
The disclosure, which drew immediate scrutiny of how the agency handles seized digital assets, followed an NTS campaign targeting 124 habitual tax evaders and a decision to share unredacted images of items it said it had taken.
The NTS published the photos on February 26, 2026, alongside an announcement that it had seized assets worth â‚©8.1 billion ($5.6 million), including cash, luxury goods and crypto. In those materials, the images showed a handwritten 12-24 word seed phrase next to the hardware wallet.
Within hours, an unknown actor used the exposed recovery phrase to access the wallet without needing the physical device, then moved the seized tokens out through a small number of transactions. The person first deposited Ethereum (ETH) to cover gas fees and then drained 4 million PRTG tokens in 3-4 transactions, transferring them to another wallet.
The stolen assets were identified as Pre-Retogeum (PRTG) tokens. The NTS opened an investigation and began cooperating with police to recover the assets while it reviewed its internal procedures for virtual asset seizures.
The agency pulled the photos and the press release shortly after the theft. On March 1, 2026, it issued an apology, admitting it acted “carelessly” by not recognizing the sensitivity of the information it had revealed.
In the same apology, the NTS offered its “deepest apologies” for public concern. It also rejected a widely circulated estimate of the loss, saying the loss was “far less,” even as it continued to investigate the theft of approximately $4.8 million in tokens described in the incident.
The episode turned a standard tax enforcement announcement into a case study of operational security risk. A seed phrase functions as the master key to a crypto wallet, and disclosing it effectively hands over access credentials.
South Korean tax agencies seize and disclose assets as part of efforts to collect unpaid liabilities, and the NTS framed its February seizure announcement as a showcase of enforcement against habitual evasion. In this case, the photographs meant to demonstrate enforcement appeared to provide the information needed to empty the wallet.
The mechanics were simple rather than technical, based on the account of how the theft occurred. The attacker did not need to compromise networks or install malware, but instead relied on information the NTS itself made public.
The NTS said it would revise its manual for seizing, storing and disposing of virtual assets. The action formed part of its damage control after the photos circulated and the tokens moved.
Police from the National Police Agency began tracking the transfers on the blockchain as part of the investigation. Their work focused on following the transaction trail to identify who accessed the wallet and where the tokens went next.
Investigators made a first arrest quickly. As of early March 2026, police arrested the first suspect on March 1 after the person confessed via South Korea’s official cybercrime reporting portal on February 28.
A second suspect remained at large, police said. Authorities continued to trace transactions and look for additional links, while the tax agency and police coordinated on recovery efforts.
The NTS described the theft as possibly motivated by “curiosity,” a characterization that suggested investigators were weighing motives alongside the transaction trail. Police did not publicly attribute the transfers to a broader hacking campaign in the information provided.
Outside government, the incident sparked debate in South Korea’s crypto sector about whether the theft might have been intended to expose weaknesses rather than profit from them. Cho Jae-woo, director of Hansung University’s Blockchain Research Institute, speculated it could be a “white hat hacker” exposing flaws.
The NTS did not frame the case as a cyberattack on its systems in the information available. Instead, the chain of events centered on the public release of the seed phrase and the immediate use of that information to access the wallet.
The government moved to broaden the response beyond the tax agency. Deputy Prime Minister and Minister of Strategy and Finance Koo Yoon-chul announced a government inspection of digital asset management across public institutions and promised quick preventive measures.
That inspection aimed to examine how public bodies handle seized or held virtual assets, a growing issue for authorities as cryptocurrency becomes more common in enforcement actions. The NTS case underscored how custody failures can undermine both security and confidence in tax collection.
South Korea has pursued aggressive enforcement against crypto-related wrongdoing, alongside a wider reporting and oversight framework for transactions. The environment includes laws such as the Act on Reporting and Using Specified Financial Transaction Information.
The NTS incident also revived concerns about recurring weaknesses in how seed phrases and private keys are managed. Officials and experts described it as an operational lapse rather than a sophisticated intrusion, with no evidence of malware or hacks.
A comparable case has surfaced before in South Korea, reinforcing that seed phrase exposure can have lasting consequences. The NTS incident echoed a prior episode in which police lost 22 Bitcoin ($1.5 million) due to an unreported seed phrase compromise.
Such cases highlight that digital assets can be stolen in ways that differ from conventional property seizures. While a seized luxury watch remains in custody if it is locked away, a digital wallet can be emptied instantly if the access phrase becomes known.
Experts have long urged institutions to adopt custody controls that assume insiders and outsiders may see materials tied to access. Those controls typically include air-gapped storage, multi-signature setups, access logging, redaction protocols and staff training, all aimed at preventing single points of failure.
In the NTS case, the single point of failure was the photographed recovery phrase. Once public, it was enough to enable access, leaving investigators to pursue recovery after the fact through blockchain tracing.
The theft also raised practical questions for agencies that seize crypto and then publicize enforcement actions. Public relations material can conflict with custody requirements if it includes identifiable wallet information or recovery credentials.
The NTS did not describe the internal review in detail in the information provided, but it said it would revise its manual for seizing, storing and disposing of virtual assets. The revision plan came as police pursued the suspects and worked to trace the tokens.
For the National Tax Service, the incident arrived at a moment when agencies worldwide have expanded digital-asset seizures, both for unpaid tax and as proceeds tied to other cases. The South Korean case showed how quickly a misstep can turn seized assets into stolen assets.
The immediate timeline reflected that speed. The NTS made the seizure announcement and released the images on February 26, 2026, the exposed seed phrase provided a direct route into the wallet, and the unknown actor moved the tokens within hours.
Developments then unfolded over the following days, with the confession through the cybercrime reporting portal on February 28, the NTS apology and the arrest of the first suspect on March 1, and continued efforts in early March to trace transactions and locate a second suspect.
The incident also exposed tensions in public communication around the scale of losses. While the NTS investigated the theft of approximately $4.8 million in PRTG tokens described in the episode, it denied the loss reached $5 million, saying the amount was “far less.”
That denial did not resolve public concern about how the seed phrase ended up visible next to the Ledger hardware wallet. For agencies that seize crypto from suspects, the case pointed to the need for photo redaction and tighter handling of any written recovery material.
Law enforcement’s role, meanwhile, reflected the nature of blockchain evidence. Investigators can trace transfers and identify points where suspects may have interacted with systems, including through reporting channels and potential links to wallets used to pay gas fees.
South Korea’s broader enforcement approach has emphasized reporting and oversight frameworks for virtual assets, but the NTS theft showed that custody practices inside government can matter as much as external compliance rules. A single exposed phrase can negate other safeguards.
For taxpayers and the public, the impact of such a loss extends beyond the value of the tokens. Seized assets are meant to support collection and enforcement, and their disappearance can weaken confidence that agencies can safely hold what they take.
The NTS apology acknowledged that public concern directly, saying it acted “carelessly” and offering its “deepest apologies.” With a first suspect arrested and a second still at large, authorities now face a test of whether blockchain tracing and inter-agency coordination can recover what the seed phrase exposure allowed to be taken.
