editorially independent. We may make money when you click on links
to our partners.
Learn More
A public press release intended to highlight a tax enforcement victory instead exposed millions in confiscated cryptocurrency.
South Korea’s National Tax Service (NTS) inadvertently revealed the mnemonic seed phrase of a seized Ledger hardware wallet, enabling an unknown actor to transfer approximately $4.8 million in digital assets.
“The thief first deposited a small amount of Ethereum (ETH) into the wallet to be used as a transaction fee (gas fee) to withdraw the tokens, and then showed meticulousness by withdrawing 4 million PRTG tokens to his own wallet in three stages,” reported South Korean Maeil Business Newspaper.
How a Seed Phrase Exposure Led to $4.8M Theft
The stolen funds were part of a broader enforcement campaign targeting 124 high-value tax evaders, during which South Korea’s National Tax Service (NTS) confiscated digital assets valued at approximately 8.1 billion won (about $5.6 million USD).
To publicize the success of the operation, the agency released photographs of the seized Ledger hardware wallet.
However, the images also included a handwritten mnemonic recovery phrase — the cryptographic master key that provides complete access to a cryptocurrency wallet.
Hardware wallets such as Ledger devices are designed to secure private keys offline, protecting them from remote compromise.
Their security, however, ultimately depends on the confidentiality of the recovery phrase, typically a 12-word or 24-word mnemonic generated during wallet setup.
This phrase functions as the root of trust: anyone who possesses it can restore the wallet on another compatible device and transfer the funds without needing the original hardware wallet, PIN, or owner authorization.
In this case, the publicly shared images reportedly exposed that recovery phrase.
Shortly after the press release was published, blockchain data showed that 4 million Pre-Retogeum (PRTG) tokens — valued at roughly $4.8 million USD at the time — were transferred out of the seized wallet to a new address.
On-chain analysis indicated that the attacker first deposited a small amount of Ethereum (ETH) to cover transaction fees and then moved the tokens in three separate transactions. The press release has since been removed from the NTS website.
Professor Cho Jae-woo of Hansung University, who reviewed the transaction activity, compared the mistake to “leaving a wallet open and advertising it to the entire nation.”
He attributed the loss to a lack of understanding of virtual asset security, noting that blockchain transactions are irreversible once confirmed.
When valid credentials — such as a recovery phrase — are used to authorize a transfer, there is no built-in mechanism to reverse or freeze the movement of funds, absent complex coordination with exchanges and law enforcement.
Strengthening Cryptocurrency Custody Practices
As cryptocurrency adoption grows, so does the risk associated with mismanaging private keys and seed phrases.
Unlike traditional financial systems, there is no central authority to reverse a mistaken or unauthorized blockchain transaction.
Both organizations and individual holders must apply disciplined security controls to protect digital assets and reduce the likelihood of irreversible loss.
For Organizations Handling Cryptocurrency Assets
Organizations that seize, manage, or store digital assets should implement layered technical and procedural controls to reduce the risk of seed phrase exposure and operational errors.
- Treat seed phrases and private key material as highly sensitive credentials by enforcing strict redaction, media review, and publication controls before releasing any images or documentation.
- Adopt multi-signature wallets, institutional custody solutions, or secret-sharing schemes to eliminate single points of failure in asset control.
- Store recovery phrases in physically secure, access-controlled environments with dual-control procedures and documented access logs.
- Implement real-time blockchain monitoring and alerting to detect unauthorized transfers and enable rapid response.
- Require phishing-resistant multi-factor authentication and least-privilege access for personnel involved in crypto custody operations.
- Continuously validate custody procedures and test incident response plans through tabletop exercises that simulate seed exposure and emergency wallet migration scenarios.
For Individual Cryptocurrency Holders
Individual wallet owners should apply basic but disciplined security practices to prevent irreversible loss of funds.
- Never photograph, digitize, email, or store seed phrases in cloud storage or messaging applications.
- Store recovery phrases offline in a secure physical location and consider using an optional passphrase for additional protection.
- Immediately transfer funds to a newly generated wallet if a seed phrase is exposed, as PIN or password changes do not mitigate compromise.
- Avoid using single-device or single-location storage for significant holdings and consider multi-signature setups for larger balances.
Because blockchain transactions cannot be undone, disciplined key management and layered controls are essential to protecting cryptocurrency assets from irreversible loss.
The NTS incident highlights that in cryptocurrency operations, security depends as much on process as on technology.
Hardware wallets provide strong protection, but that protection fails if recovery phrases are exposed.
This reality is prompting organizations to adopt zero trust principles that assume exposure is possible and require continuous verification and strict access controls around sensitive assets.
