Full Report
Went from triumph at having busted tax dodgers to embarrassment at losing the proceeds South Korea’s National Tax Service has apologized after it leaked passwords to a stash of stolen crypto, which parties unknown used to make off with the digi-cash.…
Analysis Summary
# Incident Report: South Korean Tax Service Crypto Seizure Leak
## Executive Summary
The South Korea National Tax Service (NTS) suffered a significant financial loss after inadvertently leaking the recovery seed phrase to a seized cryptocurrency wallet through publicly released photographs of the seizure haul. Unknown threat actors identified the seed phrase displayed in the media release and drained approximately $4.8 million in cryptocurrency (Pre-Retogeum/PRTG) hours after the announcement. The NTS has apologized and committed to strengthening internal controls regarding the handling of virtual assets.
## Incident Details
- Discovery Date: February 26th, 2026 (When the images were publicized, leading to the subsequent theft)
- Incident Date: Shortly after February 26th, 2026 (Funds drained "within hours" of publicity)
- Affected Organization: South Korea’s National Tax Service (NTS)
- Sector: Government/Taxation/Law Enforcement
- Geography: South Korea
## Timeline of Events
### Initial Access
- Date/Time: February 26th, 2026 (Approximate)
- Vector: Publication of evidence/Asset Display Error
- Details: The NTS publicized photos of a successful seizure targeting 124 tax delinquents, which included seized assets worth ₩8.1 billion ($5.6 million). These public photos visibly contained a recovery seed phrase for one of the seized crypto wallets.
### Lateral Movement
- Attackers appeared to move directly from the publicly exposed seed phrase to the targeted crypto wallet. No conventional network lateral movement is indicated.
### Data Exfiltration/Impact
- Assets stolen: Pre-Retogeum (PRTG) cryptocurrency, valued at approximately $4.8 million (the majority of the seized digital assets).
### Detection & Response
- Detection Method: Funds were automatically drained from the wallet, signaling the compromise.
- Response actions taken: The NTS issued an apology, requested the National Police Agency to trace the blockchain transactions, and reviewed/updated internal manuals for securing virtual assets.
## Attack Methodology
- Initial Access: **Non-technical exposure** (Social engineering/OPSEC failure by the NTS leading to credential exposure).
- Persistence: Not applicable.
- Privilege Escalation: Not applicable.
- Defense Evasion: Not applicable; the attack utilized legitimately exposed credentials.
- Credential Access: **Visual recognition** (Threat actors visually identified the seed phrase from publicly available images).
- Discovery: Public reconnaissance of media releases by threat actors.
- Lateral Movement: Not applicable.
- Collection: Not applicable; direct access via seed phrase.
- Exfiltration: Direct transfer of cryptocurrency assets via recording the blockchain transactions.
- Impact: Financial loss via asset theft.
## Impact Assessment
- Financial: Loss of approximately $4.8 million in seized cryptocurrency.
- Data Breach: Exposure of a critical access credential (seed phrase) to seized digital assets.
- Operational: Initial operational success (seizure) followed by significant embarrassment and loss of assets.
- Reputational: Significant embarrassment for the NTS, leading to a public apology and a reversal of the perception of triumph.
## Indicators of Compromise
- Network indicators: Transactions originating from the compromised wallet address (blockchain specific, defanged analysis required).
- File indicators: The leaked image files containing the seed phrase.
- Behavioral indicators: Rapid and large-scale withdrawal of PRTG coins shortly after the public announcement on February 26th.
## Response Actions
- Containment measures: Implicitly, the NTS would have attempted to freeze or lock the wallet if possible, though this is difficult/impossible post-exposure on a blockchain.
- Eradication steps: The direct chain of compromise (the seed phrase) was already exploited. Focus shifted to tracking the stolen funds.
- Recovery actions: Requesting the National Police Agency to utilize blockchain forensics to trace the illicit transfers.
## Lessons Learned
- **Operational Security Failure:** Failure to adequately scrub sensitive recovery information (seed phrases) from physical or digital evidence intended for public release.
- **Asset Handling Procedures:** Current manual procedures for seizing, storing, and disposing of virtual assets were inadequate and exposed critical recovery data.
- **Risk of Publicity:** Highlighting a victory by exposing details of an operation carries inherent risks if procedural security is lacking.
## Recommendations
- Implement mandatory, mandatory procedural checks (e.g., dual review) for all digital and physical evidence released to the public, specifically looking for recoverable credentials like seed phrases or private keys.
- Develop and enforce stringent, non-negotiable protocols for the storage and handling of cryptocurrency recovery keys that explicitly prohibit their exposure in any format outside of secured, designated storage locations.
- Ensure immediate retraining of all personnel involved in evidence handling concerning best practices for securing decentralized asset recovery information.