On February 27, 2026, South Korea's National Tax Service (NTS) published a press release celebrating the seizure of digital assets from 124 high-value tax delinquents. The operation had confiscated approximately $5.6 million in assets, including Ledger hardware wallets taken during on-site raids.

The problem wasn't the seizure. It was the press photo.

Included in the release was an image of a Ledger device next to a handwritten sheet of paper, with the wallet's 12-word seedphrase in full view. Within hours, an unknown actor deposited ETH to cover gas fees, then drained 4 million PRTG tokens across three transactions. The tokens carried a nominal value of $4.8 million, though limited liquidity on the single exchange where PRTG trades means the practical damage may be smaller than the headline suggests.

Professor Jaewoo Cho of Hansung University's Blockchain Research Center, who tracked the on-chain flows, described the mistake as the equivalent of leaving a wallet open and inviting the entire nation to take the money.

A Pattern Forming

This would be easier to dismiss if it were a one-off. It isn't.

Earlier in February 2026, South Korean police discovered that 22 Bitcoin seized during a 2021 hacking investigation had vanished from a cold wallet stored in a Gangnam district police vault. Two suspects were arrested after investigators determined the coins, worth roughly $1.4 million, had been moved using the seed phrase which the authorities had never properly secured. In a separate January case, prosecutors in Gwangju investigated the loss of seized bitcoin linked to a phishing incident involving recovery seed phrases.

Three custody failures. Three different government agencies. A matter of weeks. The common thread isn't technical complexity, it's the absence of any institutional framework for handling bearer assets.

What This Exposes

The NTS treated a hardware wallet like any other piece of seized evidence, photograph and catalogue it. In traditional asset seizures, that's standard procedure. In crypto custody, photographing a seed phrase is functionally the same as handing over the keys.

For institutional operators, the failure modes on display here aren't exclusive to government agencies:

No segregation of sensitive material. The seed phrase was stored alongside the device, in a format easily captured and distributed. The mnemonic and the hardware should never coexist in the same location.

No post-seizure transfer to secure custody. Assets remained in wallets whose seed phrases were physically co-located with the devices. They should have been swept into operationally controlled wallets immediately.

No automated response when things went wrong. Once the seed phrase was public, there was no emergency sweep, no failover, no way to move assets to safety before an attacker could act. There was no possible response once these had been expose

The Lesson

This wasn't a sophisticated exploit. There was no smart contract vulnerability, no compromised infrastructure, no zero-day. A human made an error, and there was nothing between that error and total loss of the assets.

That's the gap this incident makes visible. South Korea needs better prevention, but when key material is compromised, through negligence, social engineering, insider threat, or operational error, the only thing that matters is whether you can move assets to safety before someone else does.

Circuit builds the recovery and response infrastructure that gives digital asset operators a way to act when things go wrong, automatically, and before damage becomes permanent. See it in action.

‍