South Korean Police Accidentally Post Cryptocurrency Wallet Password

An expensive mistake:

Someone jumped at the opportunity to steal $4.4 million in crypto assets after South Korea’s National Tax Service exposed publicly the mnemonic recovery phrase of a seized cryptocurrency wallet.

The funds were stored in a Ledger cold wallet seized in law enforcement raids at 124 high-value tax evaders that resulted in confiscating digital assets worth 8.1 billion won (currently approximately $5.6 million).

When announcing the success of the operation, the agency released photos of a Ledger device, a popular hardware wallet for crypto storage and management.

However, the images also showed a handwritten note of the wallet recovery phrase, which serves as the master key that allows restoring the assets to another device.

The authorities failed to redact that info, allowing anyone to transfer into their account the assets in the cold wallet.

Reportedly, shortly after the press release was published, 4 million Pre-Retogeum (PRTG) tokens, worth approximately $4.8 million at the time, were transferred out of the confiscated wallet to a new address.

Tags: cryptocurrency, operational security, South Korea

Posted on March 17, 2026 at 6:01 AM • 16 Comments

Comments

Clive Robinson • March 17, 2026 9:26 AM

The old expressions,

“Easy come, easy go”

And,

“More money than sense”

Immediately come to mind…

Rontea • March 17, 2026 12:20 PM

This is yet another example of how insecure operational practices can undermine the strongest cryptographic protections. The math is solid, but humans remain the weakest link. A recovery phrase is essentially the keys to the vault—treating it casually or leaving it exposed defeats the entire security model. Incidents like this are less about technical failure and more about governance, process discipline, and understanding the adversary’s incentives. Cryptography doesn’t protect against carelessness.

Clive Robinson • March 17, 2026 1:50 PM

@ Rontea, all,

With regards,

“The math is solid, but humans remain the weakest link.
…
Cryptography doesn’t protect against carelessness.”

At any point “in the security stack” as Microsoft has found out… They thought they had achieved security on the Xbox One…

But no it’s been hacked at the hardware level,

https://www.schneier.com/blog/archives/2026/03/friday-squid-blogging-increased-squid-population-in-the-falklands.html/#comment-452927

Lex • March 17, 2026 2:46 PM

It seems this story has a somewhat funny addendum.
https://biz.chosun.com/en/en-society/2026/03/03/2HRCGVESIZBTHHXIWI7URAWCHM/
According to this story the assets got returned to the compromised wallet, just to be stolen again by a second thief.

Edith • March 17, 2026 3:55 PM

Giving secrets away via cameras is an ancient tradition that stretches back to the analogue era.

Here a TV news crew broadcast clear images of a prison’s keys:

https://www.reddit.com/r/todayilearned/comments/1o3a3ie/til_in_2006_every_lock_and_key_in_a_uk_prison_had/

MiSERY LoVES CoMPANY • March 17, 2026 4:54 PM

What’s reality? I don’t know. When my bird was looking at my computer monitor I thought, “That bird has no idea what he’s looking at.” And yet what does the bird do? Does he panic? No, he can’t really panic, he just does the best he can. Is he able to live in a world where he’s so ignorant?

Well, he doesn’t really have a choice. Yeah, he can kinda live. Usually the bird is okay even though he doesn’t understand the world. He can kinda learn what’s safe and what’s dangerous. That’s where I’ve been living. You’re that bird looking at the monitor, and you’re thinking to yourself, “I can figure this out.” Maybe you have some bird ideas. Maybe that’s the best you can do.

Stephen Christopher Gregory Elliott • March 17, 2026 9:45 PM

This was a COLD wallet. Surely someone had to connect it to the net to allow the use of the key. So a second security lapse!

lurker • March 17, 2026 11:49 PM

@Stephen Christopher Gregory Elliott

Maybe a special kind of lapse known as “An Inside Job”?

Keith • March 18, 2026 1:27 AM

Doesn’t matter if it was a cold wallet or not. Once the seed phrase was revealed it became anyone’s wallet.

Stephen Christopher Gregory Elliott • March 18, 2026 8:08 PM

My crypto currency ignorance is showing here – but surely it must communicate in order to permit unauthorised transfers?

Winter • March 19, 2026 8:52 AM

@Stephen Christopher Gregory Elliott

it must communicate in order to permit unauthorised transfers?

There is no such thing as (un)authorized transfers in cryptocurrencies.

Each coin value on the chain is only protected with a secret key (actually, a public-private key pair). The seed kan generate all relevant keys for a certain wallet.

If you know the seed, or the key, the money is yours. If you don’t know it, it’s not.

Who? • March 19, 2026 1:35 PM

@ Winter

I don’t understand your reasoning… Let me explain with a classic example: if you know how to open a safe, the money is yours. If you don’t, it isn’t.

That doesn’t seem right to me. If you know the seed phrase or the PIN of the cold wallet, you can recover the money (if it’s yours) or steal it. In the world of cryptocurrencies, there are unauthorized transfers, meaning transfers made without the owner’s authorization.

The difference between traditional currencies and cryptocurrencies is that safes can be opened, even if it’s a laborious task. If you don’t have the seed phrase of the vault that stores the cryptocurrencies, you may have lost them forever.

Who? • March 19, 2026 1:46 PM

@ Stephen Christopher Gregory Elliott

I understand your question refers to establishing a communication channel between cold wallets.

No, no such communication channel exists. Cryptocurrencies are never stored on the cold wallet hardware; they are stored on a blockchain. Cold wallets are simply signing devices. Nothing more.

If you have access to the seed phrase that protects certain funds, you can transfer them. The original cold wallet does not need to exist anymore.

Who? • March 19, 2026 1:52 PM

@ Stephen Christopher Gregory Elliott

I will say more. There are cold wallets that never connect to the Internet. Coinkite Mk and Q devices are good examples. They are used to sign transactions, but do not require Internet access to transfer funds between bitcoin addresses.

Winter • March 19, 2026 3:47 PM

@Who?

In the world of cryptocurrencies, there are unauthorized transfers, meaning transfers made without the owner’s authorization.

That is the legal, and normal, interpretation.

But Bitcoin and most other cryptocurrencies have been designed as extra-legal constructions outside national boundaries. They were designed as permission less monetary systems.

Their founding principles is that code is law. Which means that they who have the keys are the owner. A Bitcoin address has no owner, only a key.

The law has only limited tools to enforce it’s rules.

Most people getting into cryptocurrencies do not realize what this means. With very dear consequences.

Stephen Christopher Gregory Elliott • March 19, 2026 9:19 PM

Many thanks for the correction – I obviously totally misunderstood this aspect of the technology.

So they are not really “wallets” – They are more like “key rings”!

Schneier on Security

South Korean Police Accidentally Post Cryptocurrency Wallet Password

Comments

Leave a comment Cancel reply