South Korea tax agency posted unredacted crypto seed phrase, attacker drained $4.8M

South Korea’s National Tax Service published photos in a press release that showed a Ledger cold wallet and a handwritten recovery mnemonic without redaction, and blockchain records show an attacker used that exposed seed to drain roughly 4,000,000 PRTG tokens worth about 6.4 billion won (roughly $4.8 million).

On-chain explorers show the exposed address received a small deposit of Ethereum to cover gas fees, then three inbound PRTG transfers totaling 4,000,000 tokens and an immediate outbound movement that removed the full balance. Researchers tracing the flows recovered the token count and the pattern of deposits and transfers from public blockchain data. The token is ERC-20 based, meaning the attacker only needed the mnemonic to recreate the wallet, fund it with ETH for gas and move the tokens to another address.

Associate professor Jaewoo Cho of Hansung University’s Blockchain Research Center, who analyzed the flows, noted on X, "We have confirmed that 4 million PRTG tokens, worth approximately $4.8 million, were stolen from the mnemonic that was leaked (disclosed) through a press release from the National Tax Service." In stronger terms another on-campus attribution recorded under a slightly different spelling and title said, "Revealing a critical mnemonic rule in a press release for public viewing is akin to an advertisement inviting people to take your money. The tax authorities’ lack of basic understanding of virtual assets prevented the recovery of billions of won in state funds."

The press release that displayed the images had been intended to publicize the agency’s seizure of cryptocurrencies linked to tax delinquents. The NTS package referenced a wider enforcement action it described as seizing about 8.1 billion won from 124 high-value and habitual tax delinquents; images in the release were labeled and included a handwritten sheet of seed words adjacent to hardware wallets. At least one blockchain analyst said some other exposed mnemonics "do not seem likely to cause any major issues" and argued that because the stolen tokens were hard to cash out the practical damage could be limited.

The theft follows a string of recent custody mishaps by South Korean authorities that have raised alarm among legal and policy observers. Investigations and audits this month uncovered that 22 Bitcoin seized in a 2021 probe vanished from a cold storage device at a Gangnam police vault, and separate episodes involved large Bitcoin returns and questions about exchange accounting. Those incidents have prompted a broader audit of seized assets and fresh scrutiny of how public agencies hold digital property.

Technically straightforward but profoundly consequential, the episode highlights a familiar security rule: a mnemonic printed or photographed in plain view instantly destroys the security of cold storage. The case also exposes gaps in institutional procedures for handling evidence that contain private keys, and it raises immediate questions about chain-of-custody, internal training and oversight.

The NTS had not published a detailed on-the-record response as of the latest blockchain confirmations. Policy makers, prosecutors and police now face pressure to disclose whether any of the stolen tokens can be frozen, whether internal staff will be disciplined, and what reforms will be adopted to prevent future losses of state-held digital assets. For taxpayers and people whose assets may later be seized, the episode is a cautionary signal: without robust custody protocols, public trust and public funds are at risk.