South Korea’s National Tax Service (NTS) has found itself in the middle of a deeply embarrassing — and costly — blunder after accidentally handing thieves the master key to a seized cryptocurrency wallet.
The method? Publishing the access key in a press release, in plain sight for the entire world to see.
Last Thursday, the NTS issued a triumphant press release to the media detailing how it had taken action against 124 high-value tax evaders, and boasting about the seizure of digital assets worth 8.1 billion won — roughly US $5.6 million.
And in that press release, officials included photographs of some of the confiscated hardware: including a Ledger cold wallet device and, sitting right next to it, a handwritten note clearly displaying the wallet’s mnemonic recovery phrase.
This seed phrase is the 12-to-24 word sequence that functions as the master key for a cryptocurrency wallet. And as everyone who possesses a hardware cold wallet should know, you are never ever supposed to share with anyone, let alone broadcast to the entire internet in an official press release, that seed phrase.
By dawn the following morning, someone had emptied the wallet of all of its cryptocurrency.
For those unfamiliar with how hardware wallets work, the mnemonic (or seed) phrase is essentially your wallet’s ultimate password. Anyone who possesses the phrase can restore access to that wallet on any device, anywhere in the world. And then they can transfer every last cryptocurrency token out — with no need for physical access to device, no PIN required, no further authentication of any kind.
Hardware wallets like Ledger are built around the assumption that the seed phrase is kept secret. The whole point of “cold storage” is that the private keys to the wallet never touch the internet. The moment a seed phrase is exposed, the offline protection is weaker than tissue paper.
The NTS officials later explained that they had included the images in their press release to make it “more eye-catching.” Unfortunately for them, the press release certain did catch some people’s attention.
The confiscated wallet in question belonged to a tax evader identified only by the authorities as “Mr. C,” who had had four cryptocurrency storage devices seized from his home. The hardware wallet contained approximately 4 million Pre-Retogeum (PRTG) tokens, worth around US $4.8 million (approximately 6.4 billion won) at the time.
According to a blockchain analysis by Professor Cho Jae-woo, director of the Blockchain Research Institute at Hansung University in Seoul, the theft took place in the early hours of February 27th — shortly after the press release was published.
Professor Cho pointed out that the original owner of the Ledger device had actually been following best practice — recording the seed phrase only on a handwritten note, rather than storing it digitally. The irony, of course, is that while the tax evader took proper precautions to protect his crypto fortune, the authorities tasked with safeguarding the seized assets did not.
So, a win for the crypto thief – yes?
Well, maybe not.
Because the thief may find it considerably harder to actually spend their US $4.8 million worth of cryptocurrency than it was to steal.
As The Block reports, PRTG is an obscure token, that is rarely used. According to CoinMarketCap data, it recorded a volume of just US $332 in 24 hours of trading at the time of the incident and is listed on only a single exchange — MEXC.
Furthermore the 4 million stolen tokens represent approximately 40% of PRTG’s entire total supply. Attempting to convert that quantity of crypto into cash would almost certainly impact the token’s value long before the full transaction was done.
Furthermore, if the stolen tokens eventually move through a regulated platform with know-your-customer requirements, there is at least a chance of identifying who is trying to capitalise on the theft.
The NTS eventually removed the offending press release from its website, and issued a follow-up statement offering a “deep” apology for what had happened.
South Korea’s National Tax Service found out the hard way. One can only hope that law enforcement agencies seizing digital assets around the world are paying attention.
After all, “don’t photograph your passwords and publish them on the internet” is a lesson most of us managed to learn years ago.