Key Highlights
- The National Tax Service (NTS) accidentally included an unmasked 12-to-24-word mnemonic recovery phrase in a press release photo.
- Approximately 4 million PRTG tokens (worth $4.8 million) were drained from the wallet shortly after the leak.
- This incident has exposed a critical lack of technical literacy within Korean law enforcement.
In what is being described as one of the most avoidable security lapses in the history of South Korean law enforcement, the National Tax Service (NTS) has issued a public apology after a press photograph inadvertently enabled the unauthorized transfer of nearly 7 billion won ($4.8 million) in seized cryptocurrency.
The incident prompted Deputy Prime Minister and Minister of Economy and Finance Koo Yun-cheol to order an immediate audit of all digital assets held by public institutions.
“Recent National Tax Service’s digital asset information leak incident, the government will, in collaboration with relevant agencies such as the Financial Services Commission and the Financial Supervisory Service, conduct an inspection of the current status and management practices of digital assets held and managed by the government and public institutions through seizure and other measures from delinquents, and will promptly develop and implement measures to prevent recurrence, including strengthening digital asset security management,” said Koo Yun-cheol.
Koo also highlighted that the country does not hold cryptocurrencies except for assets acquired during enforcement actions, such as seizures.
The “mnemonic” mistake
The crisis began on Thursday, February 26, when the NTS triumphantly announced the seizure of assets from 124 high-income tax delinquents. Among the haul were four “Cold Wallets”—these are offline USB-like devices—confiscated from a taxpayer’s drawer.
To provide “vivid information” to the public, the NTS attached several high-resolution photos to its press release. One image clearly displayed the hardware device alongside a handwritten sheet of paper containing the mnemonic code—the recovery phrase that bypasses all physical locks on a digital wallet.
By Friday, blockchain analysts, including Professor Cho Jae-woo of Hansung University, noticed $4.8 million worth of PRTG (Pre-Retogeum) tokens leaving the seized address. The tokens moved in three distinct transactions between 7:43 p.m. and 8:13 p.m., just hours after the photo went live.
A “curiosity” defense and the investigation
On Saturday, the Korean National Police Agency’s Cyber Terror Response Division received a startling online report. An individual claimed they had seen the exposed code and accessed the wallet “out of curiosity” to see if it would work. The person alleged they had returned the assets the following day, though police are currently verifying transaction records to confirm if the 6.9 billion won has indeed been fully restored to government control.
“We failed to recognize that the original photo contained sensitive virtual asset information,” the NTS stated in a formal apology on Sunday. “This is entirely our fault.”
Poor management
The NTS leak is not an isolated embarrassment; it is the third major failure involving seized cryptocurrency in recent months.
Earlier in February, the operator of “Queenbee Coin” was arrested for stealing 22 Bitcoins (worth about $1.5 million) that were supposedly under the custody of the Seoul Gangnam Police. Because the police allowed the suspect to retain knowledge of the mnemonic code, the operator simply “restored” the wallet on a private device and drained the funds while the physical USB sat in a police evidence locker.
In a separate case involving the Gwangju District Prosecutors’ Office, 320.88 Bitcoins ($21 million) were moved without authorization. Investigators found that staff had accidentally entered the wallet’s credentials into a phishing site while attempting to check the balance.
In both cases, authorities were criticized for a fundamental misunderstanding of blockchain technology: the belief that possessing the physical device constitutes “control” of the assets.
Stung by these failures, the National Police Agency introduced a “Step-by-Step Management System” on February 23. Under the new rules, the government will no longer act as its own bank. Instead, all seized assets will be moved to specialized Virtual Asset Service Providers (VASPs)—third-party custodial firms with institutional-grade security.
As the investigation into the NTS leak continues, the incident serves as a stark reminder that in the world of decentralized finance, a single unmasked photograph can be as costly as leaving a vault door wide open.
Also Read: Inverse Finance Faces $240K Loss in DOLA Manipulation Alert
