Executive Summary
In February 2026, South Korea's National Tax Service (NTS) conducted raids on 124 high-value tax evaders, seizing digital assets worth approximately $5.6 million. During a press release showcasing the operation, the NTS inadvertently published images displaying a Ledger hardware wallet alongside a handwritten note containing the wallet's mnemonic recovery phrase. This exposure allowed an unauthorized individual to access and transfer 4 million Pre-Retogeum (PRTG) tokens, valued at about $4.8 million, from the confiscated wallet. The NTS has since apologized for the oversight and initiated measures to prevent similar incidents in the future. (koreajoongangdaily.joins.com)
This incident underscores the critical importance of secure handling and storage of digital assets, especially by governmental agencies. As cryptocurrency adoption grows, ensuring robust security protocols and staff training is essential to prevent such costly errors and maintain public trust.
Why This Matters Now
The exposure of sensitive information leading to significant financial loss highlights the urgent need for enhanced security measures and protocols in managing digital assets, particularly within governmental institutions handling seized cryptocurrencies.
Attack Path Analysis
The South Korean National Tax Service inadvertently exposed the mnemonic recovery phrase of a seized cryptocurrency wallet in a public press release. This exposure allowed an unauthorized individual to access and transfer approximately $4.8 million worth of cryptocurrency to a new address. The incident underscores the critical importance of secure handling and storage of sensitive information to prevent unauthorized access and data exfiltration.
Kill Chain Progression
Initial Compromise
Description
The National Tax Service published a press release containing images that inadvertently displayed the mnemonic recovery phrase of a seized cryptocurrency wallet.
MITRE ATT&CK® Techniques
Financial Theft
Valid Accounts
Unsecured Credentials: Credentials in Files
Data from Cloud Storage
Exfiltration Over Web Service: Exfiltration to Cloud Storage
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Protect Stored Account Data
Control ID: 3.4
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA Zero Trust Maturity Model 2.0 – Identity Management
Control ID: Identity Pillar
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Law Enforcement
Direct exposure risk from data handling failures leading to cryptocurrency asset theft, highlighting critical operational security gaps in digital evidence management procedures.
Government Administration
Demonstrates vulnerability to data exposure incidents affecting public trust and financial assets, requiring enhanced security protocols for sensitive information disclosure processes.
Financial Services
Cryptocurrency custody and digital asset management face significant data exposure risks, necessitating robust security controls to prevent unauthorized access and theft.
Computer/Network Security
Highlights critical need for secure information handling protocols and compliance frameworks to prevent inadvertent exposure of sensitive cryptographic materials and credentials.
Sources
- South Korean Police Accidentally Post Cryptocurrency Wallet Passwordhttps://www.schneier.com/blog/archives/2026/03/south-korean-police-accidentally-post-cryptocurrency-wallet-password.htmlVerified
- Police probing unauthorized crypto transfer after NTS inadvertently shared wallet recovery phrasehttps://koreajoongangdaily.joins.com/news/2026-03-01/national/socialAffairs/Police-probing-unauthorized-crypto-transfer-after-NTS-inadvertently-shared-wallet-recovery-phrase/2534349Verified
- Korea Tax Agency Apologizes for $4.8M Crypto Leak; Police Launch Probehttps://en.sedaily.com/society/2026/03/01/korea-tax-agency-apologizes-for-48m-crypto-leak-policeVerified
- South Korean tax agency exposes crypto wallet recovery phrase, loses $4.4 millionhttps://www.scworld.com/brief/south-korean-tax-agency-exposes-crypto-wallet-recovery-phrase-loses-4-4-millionVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have constrained unauthorized access and data exfiltration by enforcing strict segmentation and identity-aware policies, thereby reducing the attacker's ability to exploit exposed sensitive information.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The exposure of sensitive information may have been limited by enforcing strict access controls and monitoring, reducing the likelihood of inadvertent disclosures.
Control: Zero Trust Segmentation
Mitigation: The attacker's ability to escalate privileges could have been constrained by enforcing strict segmentation policies, limiting access to critical assets.
Control: East-West Traffic Security
Mitigation: The attacker's lateral movement within the network could have been limited by monitoring and controlling east-west traffic, reducing unauthorized asset transfers.
Control: Multicloud Visibility & Control
Mitigation: The attacker's ability to maintain control over the wallet could have been constrained by comprehensive visibility and control across cloud environments, limiting unauthorized actions.
Control: Egress Security & Policy Enforcement
Mitigation: The unauthorized transfer of cryptocurrency could have been limited by enforcing strict egress policies, reducing the risk of data exfiltration.
The financial impact and exposure of sensitive information could have been reduced by implementing comprehensive security measures, thereby limiting the consequences of the incident.
Impact at a Glance
Affected Business Functions
- Asset Management
- Public Relations
- Legal Compliance
Estimated downtime: 7 days
Estimated loss: $4,800,000
Exposure of sensitive cryptocurrency wallet recovery phrases leading to unauthorized access and transfer of digital assets.
Recommended Actions
Key Takeaways & Next Steps
- • Implement strict protocols for handling and redacting sensitive information in public communications.
- • Utilize Zero Trust Segmentation to enforce least privilege access and prevent unauthorized access to critical systems.
- • Enhance Threat Detection & Anomaly Response capabilities to identify and respond to unauthorized access attempts promptly.
- • Establish comprehensive training programs for personnel on secure information handling and cybersecurity best practices.
- • Conduct regular audits and assessments to ensure compliance with security protocols and identify potential vulnerabilities.
