South Korea's National Tax Service published photos of a seized Ledger hardware wallet with the handwritten mnemonic recovery phrase visible in the image. Someone immediately transferred $4.8 million in cryptocurrency out of the wallet. The funds are gone. The tax agency raided 124 high-value tax evaders and confiscated digital assets worth 8.1 billion won, approximately $5.6 million. When announcing the operation's success, the agency released photos of a Ledger device showing a handwritten note of the wallet recovery phrase. The recovery phrase is the master key that allows restoring assets to another device. The authorities failed to redact the phrase. Anyone could transfer the assets.
Shortly after the press release was published, 4 million Pre-Retogeum tokens worth approximately $4.8 million were transferred out of the confiscated wallet to a new address. On-chain data analysis shows the attacker first deposited a small amount of Ethereum into the wallet to pay transaction fees, then transferred the 4 million PRTG tokens to their own wallet in three separate transactions. Blockchain data analysis expert Cho Jae-woo, a professor at Hansung University in Seoul, compared the blunder to leaving a wallet open and advertising it to the entire nation for people to take the money. The professor attributed the mistake to the tax authorities' "lack of basic understanding of virtual assets." The error cost the national treasury tens of billions of won that had been successfully confiscated.
The press release has been removed from the NTS website. It is unclear if authorities started an investigation to determine where the stolen funds ended. The seed phrase gives complete access to a hardware wallet without any additional protections. Anyone who has it can recreate the wallet anywhere without the device, PIN, or permission. A government agency confiscated cryptocurrency from tax evaders, announced the seizure publicly, and published the master key that gives anyone complete access to the funds. Someone used that key to steal $4.8 million. The government lost nearly the entire seizure because they photographed and published the recovery phrase.
This is not a sophisticated attack. The attacker saw the published photo, typed the recovery phrase into their own device, and transferred the funds. The theft required no hacking, no exploits, no social engineering. The government handed over the keys in a press release. The National Tax Service conducted raids, seized digital assets, and successfully confiscated 8.1 billion won from tax evaders. Then they destroyed their own operation by publishing the recovery phrase that gives unrestricted access to the wallet. The funds were secured in a hardware wallet specifically designed to protect against unauthorized access. The government bypassed all of those protections by publishing the master key.
Hardware wallets use recovery phrases as backup mechanisms. If you lose your device, the recovery phrase restores your wallet. If someone else gets your recovery phrase, they restore your wallet on their device and take everything. There are no additional authentication steps. The phrase is complete access. The tax agency treated the recovery phrase like a detail in a crime scene photo instead of the cryptographic key to millions of dollars. They redacted nothing. They published high-resolution images showing the entire phrase clearly readable. This level of operational failure demonstrates complete ignorance of how cryptocurrency custody works.
Cho Jae-woo's assessment is correct. The tax authorities lack basic understanding of virtual assets. They seized cryptocurrency without understanding that the recovery phrase is not documentation of the seizure. Losing the phrase means losing the funds. Publishing the phrase means giving the funds to whoever reads it first. The attacker acted within minutes of the press release. They deposited ETH for transaction fees and moved the PRTG tokens in three transactions. The entire theft took less time than it would take the tax agency to realize their mistake. By the time the press release was removed, the funds were gone.
There is no recovery mechanism. Cryptocurrency transactions are irreversible. The funds went to an address controlled by whoever saw the photo first and understood what they were looking at. The tax agency cannot reverse the transaction, freeze the funds, or recover the assets. They confiscated $5.6 million and immediately lost $4.8 million by publishing the keys in a press release. Government agencies operate with no understanding of the systems they regulate and confiscate. The National Tax Service proved they can successfully raid tax evaders and seize cryptocurrency. They also proved they have no idea how to secure what they seize. The result is a nearly complete loss of confiscated assets handed directly to an opportunistic thief through gross operational incompetence.
Blackout VPN exists because privacy is a right. Your first name is too much information for us.
Keep learning
FAQ
What did South Korean police publish?
South Korea's National Tax Service published high-resolution photos of a seized Ledger hardware wallet showing a handwritten recovery phrase in a press release announcing successful raids on tax evaders. The recovery phrase is the master key to the wallet.
How much was stolen?
Someone transferred 4 million Pre-Retogeum tokens worth approximately $4.8 million out of the confiscated wallet shortly after the press release was published. The tax agency had confiscated approximately $5.6 million total.
How did the theft happen?
The attacker saw the published photo, typed the recovery phrase into their own device, deposited ETH for transaction fees, and transferred the PRTG tokens in three separate transactions. No hacking or exploits were required.
Can the funds be recovered?
No. Cryptocurrency transactions are irreversible. The funds went to an address controlled by whoever saw the photo first. The tax agency cannot reverse the transaction, freeze the funds, or recover the assets.
What is a recovery phrase?
A recovery phrase is the master key for a cryptocurrency hardware wallet. Anyone with the phrase can restore the wallet on any device without needing the physical hardware, PIN, or any additional authentication. The phrase is complete access to all funds.