Full Report
South Korea's National Tax Service accidentally exposed the mnemonic recovery phrase of a seized cryptocurrency wallet in an official press release, allowing hackers to steal 6.4 billion won ($4.8M) worth in cryptocurrency. [...]
Analysis Summary
# Incident Report: Unauthorized Transfer of Seized Assets via Public Mnemonic Exposure
## Executive Summary
The South Korean National Tax Service (NTS) inadvertently published the mnemonic recovery phrase (seed phrase) of a seized cryptocurrency Ledger cold wallet within an official press release. An unidentified threat actor utilized this master key to drain approximately 4 million Pre-Retogeum (PRTG) tokens, valued at $4.8 million, shortly after the disclosure. This incident represents a significant failure in operational security (OPSEC) and a critical lack of fundamental cryptocurrency knowledge within the seizing agency.
## Incident Details
- **Discovery Date:** February 2026 (Implicit)
- **Incident Date:** February 2026
- **Affected Organization:** National Tax Service (NTS) of South Korea
- **Sector:** Government / Public Sector
- **Geography:** South Korea
## Timeline of Events
### Initial Access
- **Date/Time:** Shortly after the official press release was published.
- **Vector:** Information Disclosure (Publicly available press release).
- **Details:** The NTS released promotional photos of a seized Ledger hardware wallet; however, the background of the image contained a handwritten note displaying the 24-word recovery phrase.
### Lateral Movement
- **N/A:** The attacker did not need to move through a network; the mnemonic phrase provided direct, authorized-level access to the blockchain assets from any location.
### Data Exfiltration/Impact
- **Step 1:** Attacker deposited a small amount of Ethereum (ETH) into the compromised wallet to cover "gas" (transaction) fees.
- **Step 2:** Attacker initiated three separate transactions to drain 4 million PRTG tokens.
- **Total Loss:** 6.4 billion won (~$4.8M USD).
### Detection & Response
- **Detection:** On-chain data analysis (Etherscan) and monitoring by blockchain experts (Professor Cho Jae-woo).
- **Response actions taken:** The NTS removed the press release from its official website.
## Attack Methodology
- **Initial Access:** Plaintext disclosure of a cryptographic private key/mnemonic phrase in public media.
- **Persistence:** Not required; the mnemonic phrase provides permanent access until funds are moved.
- **Privilege Escalation:** Not required; the mnemonic phrase grants "Root/Owner" equivalent access to the wallet.
- **Defense Evasion:** Use of standard blockchain transactions that appear legitimate to the network protocol.
- **Credential Access:** Visual theft of a physical backup (handwritten note).
- **Discovery:** Public media monitoring.
- **Lateral Movement:** N/A.
- **Collection:** Identifying the specific high-value token (PRTG) within the wallet.
- **Exfiltration:** Transferring assets to an attacker-controlled wallet address.
- **Impact:** Financial theft and permanent loss of seized government assets.
## Impact Assessment
- **Financial:** Loss of $4.8 million USD (6.4 billion won) intended for the national treasury.
- **Data Breach:** Exposure of a master cryptographic key.
- **Operational:** Failure of the asset seizure and recovery process for 124 tax evasion cases.
- **Reputational:** Significant public embarrassment for the NTS; criticized for a "lack of basic understanding" of digital assets.
## Indicators of Compromise
- **Behavioral indicators:** Unexpected ETH deposit into a seized wallet followed by immediate outward transfer of high-value tokens to an unknown third-party address.
- **Network indicators:** Activity recorded on Etherscan involving the transfer of 4 million PRTG tokens.
## Response Actions
- **Containment:** Removal of the offending press images and press release from the NTS website (hxxps[://]in[.]nts[.]go[.]kr).
- **Eradication:** N/A (Blockchain transactions are irreversible).
- **Recovery:** Unclear; investigation into the destination wallet addresses is pending.
## Lessons Learned
- **Redaction Failures:** Physical items in photos (notes, whiteboards, stickers) must be audited as strictly as digital text.
- **Knowledge Gap:** Personnel handling digital assets lacked the fundamental understanding that a mnemonic phrase is the equivalent of a liquid asset, not just a "password" for a local device.
- **Storage Security:** Mnemonic phrases should never be stored in close proximity to the hardware device they protect.
## Recommendations
- **OPSEC Training:** Mandatory training for law enforcement and tax officials on the "Master Key" nature of mnemonic phrases.
- **Multi-Signature Wallets:** Transition from single-signature hardware wallets (Ledger) to Multi-Signature (Multi-sig) setups for government-seized assets, requiring multiple officials to approve any transfer.
- **Digital Asset Custody Standards:** Implement strict protocols for the capture of digital assets, including the immediate transfer of funds to a secure, government-controlled institutional custody solution rather than keeping them on the original seized hardware.
- **Media Review Policy:** Establish a mandatory "Technical Review" of all PR materials to ensure no sensitive technical data or credentials are visible in marketing photography.