Korean National Tax Service leaks seed phrase, white-hat hacker empties 4.8 million tokens and returns everything

The Korea National Tax Service (NTS) announced on February 26th that it had seized digital assets. A photo clearly shows a Ledger hardware wallet next to a 12-word recovery seed phrase, which was immediately exploited by unknown individuals. They transferred 4 million Pre-Retogeum (PRTG) tokens, valued at approximately $4.8 million USD, out of the wallet. The tokens have since been returned to the original wallet. This incident highlights serious operational security flaws in government agencies’ management of digital assets.

Event Summary: A Chain Reaction Triggered by a Photo

The Korean NTS announced they seized about 8.1 billion KRW (around $5.6 million USD) in crypto assets from a tax evader and published photos of the seized items in their press release. The problem lies in one photo labeled “Case 3” — it clearly shows a Ledger hardware wallet and a handwritten note beside it, listing the full 12-word recovery seed phrase.

A local professor directly compared this mistake to “an open invitation for others to empty your wallet.” Once the seed phrase is leaked, anyone can restore the wallet on any device and fully control the assets — the physical security of the hardware wallet is instantly nullified.

On-chain data shows that shortly after the photo was published, an unknown person sent a small amount of ETH to the wallet to pay gas fees, then transferred 4 million PRTG tokens to a new address. This amount accounts for about 40% of the total PRTG supply.

Token Return and Liquidity Reality

Although the tokens were later sent back to the original wallet, the incident sparked widespread discussion. It remains unclear whether this was a white-hat hacker revealing a vulnerability in good faith or an attacker realizing that PRTG’s market liquidity was extremely low and difficult to cash out, leading to the return.

There is a significant gap between the nominal value of PRTG tokens and their actual market liquidity: the only active trading pair has very low volume, and even small sell orders can drastically lower the price. Large-scale cashing out is nearly impossible. This means the $4.8 million USD nominal loss does not equate to an equivalent amount of actual liquidatable assets.

Key Data at a Glance

• Leaked Information: 12-word recovery seed phrase from Ledger hardware wallet (clearly visible in the photo)
• Transferred Tokens: 4 million PRTG, valued at about $4.8 million USD (roughly 40% of total supply)
• Seized Assets Total Value: approximately 8.1 billion KRW (~$5.6 million USD)
• Event Outcome: Tokens returned to the original wallet; PRTG market liquidity is extremely low, making actual cash-out difficult
• NTS Statement: As of this report, the NTS has not issued a detailed statement

Frequently Asked Questions

What is a seed phrase (Mnemonic Phrase), and why is its leak so serious?

A seed phrase (Mnemonic Phrase) is a recovery phrase composed of 12 to 24 English words that can restore a crypto wallet. Anyone holding this phrase can fully recover and control the wallet on any device. Physical security measures of hardware wallets like Ledger cannot prevent seed phrase leaks — once exposed, all security protections are effectively nullified.

Is the $4.8 million USD loss from PRTG tokens an actual financial loss?

Nominally, yes — about $4.8 million USD. However, due to extremely low liquidity in the PRTG market, the actual cash that could be realized is much lower than the nominal value. On-chain data shows the tokens were ultimately returned to the original wallet, so no permanent financial loss occurred. Nonetheless, the security breach and operational oversight are undeniably serious.

What are the implications of this incident for future government custody of digital assets?

This incident highlights systemic risks when government agencies handle digital assets without proper technical safeguards. Key lessons include: all sensitive information (including seed phrases and private keys) must be strictly concealed when displaying seized assets; agencies should establish professional digital asset custody procedures rather than relying on traditional physical confiscation standards.