Full Report
An expensive mistake: Someone jumped at the opportunity to steal $4.4 million in crypto assets after South Korea’s National Tax Service exposed publicly the mnemonic recovery phrase of a seized cryptocurrency wallet. The funds were stored in a Ledger cold wallet seized in law enforcement raids at 124 high-value tax evaders that resulted in confiscating digital assets worth 8.1 billion won (currently approximately $5.6 million). When announcing the success of the operation, the agency released photos of a Ledger device, a popular hardware wallet for crypto storage and management...
Analysis Summary
# Incident Report: Unauthorized Transfer of Seized Crypto Assets via Public Disclosure
## Executive Summary
South Korea’s National Tax Service (NTS) inadvertently leaked a 24-word mnemonic recovery phrase for a seized Ledger hardware wallet during a press release. An unknown threat actor utilized this phrase to restore the wallet and exfiltrate approximately $4.4 million (4.8 million PRTG tokens) in confiscated cryptocurrency. The incident highlights a catastrophic failure in Operational Security (OPSEC) and redaction procedures.
## Incident Details
- **Discovery Date:** Approximately March 2026
- **Incident Date:** Shortly after the agency's press announcement (March 2026)
- **Affected Organization:** National Tax Service (NTS)
- **Sector:** Government / Law Enforcement
- **Geography:** South Korea
## Timeline of Events
### Initial Access
- **Date/Time:** March 2026, immediately following the press release.
- **Vector:** Human Error / Public Disclosure (Unredacted imagery).
- **Details:** The NTS published promotional photos of a seized Ledger device. Included in the photo was a handwritten note containing the wallet's mnemonic recovery phrase.
### Lateral Movement
- **N/A:** No network lateral movement was required. The attacker used the recovery phrase to import the private keys into a new wallet interface, bypassing any physical physical hardware restrictions.
### Data Exfiltration/Impact
- **Loss of Assets:** 4 million Pre-Retogeum (PRTG) tokens were transferred to an unauthorized external address.
- **Valuation:** Approximately $4.8 million (initial report) / $4.4 million (adjusted estimate).
### Detection & Response
- **Detection:** Discovered via blockchain monitoring when the "confiscated" assets moved to an unknown wallet address.
- **Response:** Public reported accounts suggest a chaotic sequence where assets were momentarily returned and then stolen by a subsequent actor due to the persistence of the compromised recovery phrase.
## Attack Methodology
- **Initial Access:** Plain-text exposure of recovery seed phrase in media materials.
- **Persistence:** Not required; the recovery phrase provides permanent control over the blockchain addresses until the funds are moved.
- **Privilege Escalation:** N/A (The phrase provides "Root" level access to the funds).
- **Defense Evasion:** None; the attacker performed a standard on-chain transaction.
- **Credential Access:** Visual theft of mnemonic phrase from official government photographs.
- **Discovery:** Public domain information monitoring.
- **Lateral Movement:** N/A.
- **Collection:** Importing the seed phrase into a new wallet.
- **Exfiltration:** Standard blockchain transfer to an attacker-controlled address.
- **Impact:** Financial theft and total loss of seized evidence.
## Impact Assessment
- **Financial:** Loss of approximately $4.4M - $4.8M USD in digital assets.
- **Data Breach:** Exposure of the core credential (mnemonic phrase) for the wallet.
- **Operational:** Failure of the tax seizure operation; loss of confiscated assets intended for the state treasury.
- **Reputational:** Significant embarrassment for South Korean law enforcement regarding their technical and operational competency.
## Indicators of Compromise
- **Behavioral indicators:** Unexpected "Outbound" transaction from a state-controlled "cold" wallet address shortly after a public announcement.
## Response Actions
- **Containment:** Belated attempts to remove the offending images from the internet/press release.
- **Eradication:** Effectively impossible once the seed phrase was exposed; the only solution was to move remaining funds to a new, secure wallet before others could.
- **Recovery:** Reports indicate high volatility in the wallet as multiple parties attempted to interact with the exposed credentials.
## Lessons Learned
- **Redaction Policy:** Visual media must undergo a multi-step review process to ensure no sensitive background information (Post-it notes, whiteboards, screens) is visible.
- **Asset Handling:** Digital asset recovery phrases should never be stored in close physical proximity to the device, especially during a photoshoot.
- **Cold Storage Misconception:** A "Cold Wallet" is only as secure as its physical backup. If the seed phrase is digitized (via camera), it is no longer cold.
## Recommendations
- **OPSEC Training:** Law enforcement personnel handling digital assets must be trained on the sensitivity of mnemonic phrases.
- **Multi-Signature Wallets:** Transition from single-signature hardware wallets to Multi-Sig (2-of-3 or 3-of-5) setups for large institutional holdings to ensure no single leaked phrase can authorize a transfer.
- **Policy Revision:** Probit the inclusion of actual seized hardware in public relations photography; use stock imagery or non-functional props instead.