Executive Summary

On February 26, 2026, South Korea’s National Tax Service (NTS) inadvertently exposed the mnemonic (seed) phrase of a seized Ledger hardware wallet in an official press release, resulting in the immediate theft of approximately $4.8 million in Pre-Retogeum (PRTG) tokens. The seed phrase, visible in photographs published online, enabled an unknown actor to gain full control of the wallet and transfer all assets out in a series of transactions. This incident highlights a critical operational security failure in the handling of digital assets by a government agency, with significant implications for public trust and the need for specialized protocols in crypto asset custody. All information in this summary is directly supported by primary sources and verified on-chain data.

Technical Information

The incident originated from a press release published by the National Tax Service (NTS) on February 26, 2026, which included unredacted photographs of seized assets from a tax enforcement operation. Among these assets was a Ledger cold wallet and a handwritten note displaying the wallet’s full mnemonic (seed) phrase. A mnemonic phrase is a sequence of words that serves as the cryptographic root for generating all private keys and addresses in a cryptocurrency wallet. Possession of this phrase grants complete and irreversible access to all assets stored in the wallet, regardless of any device-level security or PIN protection (BleepingComputer, Feb 28, 2026; TradingView/Cointelegraph, Feb 2026; Web3IsGoingGreat, Feb 26, 2026).

Shortly after the press release was made public, blockchain monitoring revealed that an unknown actor deposited a small amount of Ethereum (ETH) into the exposed wallet. This deposit was necessary to pay for transaction (gas) fees on the Ethereum network. The attacker then executed three transactions, transferring a total of 4 million PRTG tokens (valued at approximately $4.8 million at the time) from the compromised wallet to a new address under their control. On-chain data from Etherscan and analysis by blockchain researchers, including Professor Jaewoo Cho of Hansung University, confirm the sequence and timing of these transactions (BleepingComputer; TradingView/Cointelegraph).

The technical attack vector was not a software or hardware vulnerability, but rather a failure in operational security. The exposure of the mnemonic phrase in a public forum is analogous to publishing the master password for a bank account. The attacker did not require malware, exploits, or advanced tools; standard wallet software such as Ledger Live or MetaMask could be used to import the seed phrase and access the wallet. The MITRE ATT&CK framework maps this incident to several techniques: T1552.001 (Unsecured Credentials: Credentials in Files), as the seed phrase was exposed in a photograph; T1078 (Valid Accounts), since the attacker used legitimate credentials; and T1106 (Native API), as standard blockchain APIs were used to execute the theft (MITRE ATT&CK T1552.001; MITRE ATT&CK T1078; MITRE ATT&CK T1106).

No malware or custom tools were identified in this incident. The entire theft was enabled by the public exposure of the seed phrase and executed using standard, widely available wallet software. There is no evidence of privilege escalation, persistence mechanisms, or defense evasion, as the attacker had full access from the outset.

Attribution remains unknown. The theft could have been perpetrated by any individual with access to the press release and basic knowledge of cryptocurrency wallets. The speed of the theft suggests that actors are actively monitoring public sources for such exposures, but there are no technical indicators linking the incident to any specific threat group or advanced persistent threat (APT).

This incident is not isolated. In a separate but related case, Korean police discovered that 22 Bitcoin (BTC) seized in a 2021 hacking investigation had vanished from a cold wallet stored in a police vault, again due to mishandling of mnemonic phrases (TradingView/Cointelegraph). These cases underscore a systemic lack of digital asset custody expertise within government and law enforcement agencies.

Affected Versions & Timeline

The affected product in this incident was a Ledger hardware wallet, specifically a cold wallet seized by the National Tax Service during enforcement actions against tax evaders. The vulnerability was not in the hardware or software itself, but in the operational handling of the wallet’s mnemonic phrase.

The timeline of events is as follows: On February 26, 2026, the NTS published a press release with unredacted photos of the wallet and seed phrase (Web3IsGoingGreat; BleepingComputer). Within hours, an attacker deposited ETH to the wallet and transferred out all 4 million PRTG tokens in three transactions (BleepingComputer; TradingView/Cointelegraph). The press release was subsequently removed from the NTS website. The incident was reported internationally on February 28, 2026.

No specific software versions or firmware vulnerabilities were implicated. The root cause was the exposure of the seed phrase, which is a universal risk for all mnemonic-based wallets if not properly secured.

Threat Activity

The threat activity in this incident was opportunistic and relied entirely on the public exposure of sensitive credentials. The attacker’s actions were as follows: monitoring public disclosures for sensitive information, identifying the exposed mnemonic phrase in the NTS press release, importing the phrase into a compatible wallet application, depositing ETH to cover transaction fees, and transferring all PRTG tokens to a new address.

There is no evidence of malware deployment, phishing, social engineering, or exploitation of software vulnerabilities. The attack required only basic blockchain knowledge and access to standard wallet tools. The speed and precision of the theft indicate that actors are actively scanning public sources for such operational security lapses.

No attribution to a specific threat actor or group is possible based on available evidence. The blockchain transactions are public but do not reveal the identity of the perpetrator. The incident is consistent with previous cases where exposed private keys or seed phrases led to immediate theft of crypto assets, but this is the first known case involving a government agency at this scale.

The broader threat landscape includes a pattern of similar incidents in the public sector, as demonstrated by the concurrent case of missing BTC from a police vault. These events highlight the urgent need for improved digital asset custody protocols and specialized training for government and law enforcement personnel.

Mitigation & Workarounds

The following mitigation strategies are prioritized by severity:

Critical: Never expose or digitize mnemonic (seed) phrases in any public or unsecured context. Seed phrases must be treated as the single point of failure for all assets in a wallet. All personnel handling digital assets should receive mandatory training on the risks and proper handling of seed phrases and private keys.

High: Implement strict operational protocols for the storage, transfer, and documentation of seed phrases. Physical copies should be stored in secure, access-controlled environments, such as safes or vaults, with access limited to authorized personnel only. Any documentation or photography of seed phrases must be strictly prohibited unless fully redacted and reviewed by security personnel.

High: In the event of any suspected or confirmed exposure of a seed phrase, immediately transfer all assets to a new wallet with a freshly generated mnemonic. Do not rely on device-level security or PINs to protect assets if the seed phrase is compromised.

Medium: Establish clear incident response procedures for digital asset custody incidents, including rapid detection, asset transfer, and public disclosure protocols. Regularly audit all digital asset holdings and custody processes for compliance with best practices.

Medium: Engage external experts or third-party custodians with proven experience in digital asset security for high-value or sensitive holdings, especially in government or institutional contexts.

Low: Conduct periodic awareness campaigns and tabletop exercises to reinforce the importance of operational security in digital asset management.

References

https://www.bleepingcomputer.com/news/security/48m-in-crypto-stolen-after-korean-tax-agency-exposes-wallet-seed/ (February 28, 2026)

https://www.tradingview.com/news/cointelegraph:0f18b8787094b:0-south-korea-s-tax-office-leaks-wallet-seed-and-loses-4-8m-in-seized-tokens/ (February 2026)

https://www.web3isgoinggreat.com/single/crypto-stolen-from-korean-authorities-after-they-post-wallet-seed-phrase (February 26, 2026)

About Rescana

Rescana provides a Third-Party Risk Management (TPRM) platform designed to help organizations identify, assess, and monitor operational and technical risks in their digital supply chain. Our platform enables continuous evaluation of vendor security practices, including the handling of sensitive credentials and digital assets. For questions or further information, please contact us at ops@rescana.com.