Originally reported by Schneier on Security
TL;DR
South Korea's National Tax Service inadvertently exposed cryptocurrency wallet recovery phrases in press release photos, allowing an unknown actor to steal $4.4 million in seized digital assets within hours of publication.
While the financial loss is significant, this represents an operational security failure rather than a technical vulnerability or active threat campaign. The impact is contained to one incident.
South Korea's National Tax Service suffered a catastrophic operational security failure when announcing a successful cryptocurrency seizure operation, inadvertently exposing wallet recovery phrases that enabled the theft of $4.4 million in digital assets.
The incident occurred during a press announcement celebrating raids against 124 high-value tax evaders, which resulted in the confiscation of digital assets worth 8.1 billion won (approximately $5.6 million). The seized funds were stored in Ledger hardware wallets, industry-standard cold storage devices designed for secure cryptocurrency management.
When releasing photos to document the operation's success, the tax service included images showing a Ledger device alongside a handwritten note containing the wallet's mnemonic recovery phrase. These 12-24 word phrases serve as master keys, allowing complete restoration of cryptocurrency assets to any compatible device.
The agency failed to redact this sensitive information from the published photographs, effectively broadcasting the wallet's private keys to the public.
According to blockchain analysis, an unknown actor moved quickly to exploit the exposed credentials. Shortly after the press release publication, 4 million Pre-Retogeum (PRTG) tokens valued at approximately $4.8 million were transferred from the confiscated wallet to a new address under the attacker's control.
The speed of the theft suggests either automated monitoring of such announcements or rapid manual exploitation by someone monitoring government press releases for operational security failures.
This incident highlights critical gaps in digital asset handling procedures within law enforcement agencies. Unlike traditional seized assets, cryptocurrency wallets require specialized operational security protocols to prevent unauthorized access through exposed private keys or recovery phrases.
The case demonstrates the need for comprehensive training on cryptocurrency security fundamentals for agencies increasingly dealing with digital asset seizures. Standard evidence handling procedures developed for physical assets prove inadequate when applied to cryptographic systems where information disclosure equals asset loss.
Originally reported by Schneier on Security