South Korea launched a coordinated investigation after a series of custody failures culminated in the National Tax Service accidentally publishing a hardware-wallet recovery phrase and the rapid theft of roughly $4.8 million in PRTG tokens. The government is treating this as a systemic control failure, not a one-off embarrassment, which is why multiple agencies are now involved in a single, centralized response. The inquiry is being led by Deputy Prime Minister and Finance Minister Koo Yun-cheol and includes the Financial Services Commission, the Financial Supervisory Service, the National Police Agency, prosecutors, and the tax office.
The stated objective is to identify and close structural weaknesses in how public institutions store and manage seized digital assets, especially as South Korea prepares for a full virtual-asset framework rollout scheduled for 2027. From a market-trust perspective, it’s hard to sell “tight supervision” if the state itself is shown mishandling keys and credentials.
최근 국세청의 디지털자산 정보 유출 사건과 관련하여, 정부는 금융위•금감원 등 관계기관과 함께 체납자로부터 압류 등으로 보유•관리하고 있는 정부•공공기관의 디지털자산 현황 및 관리 실태를 점검하고, 디지털자산 보안 관리강화 등 재발 방지 방안을 조속히 마련•시행하겠습니다.
참고로,… pic.twitter.com/RfvGJdvHy3
— 구윤철 부총리 겸 재정경제부 장관 (@yuncheol_koo) March 1, 2026
The trigger: a mnemonic leak and a fast drain
The immediate spark was an operational error by the National Tax Service on March 2, 2026. A press release photo reportedly revealed the full mnemonic recovery phrase for a seized hardware wallet, and unknown actors used that exposed phrase within hours to drain about $4.8 million, described as roughly 6 billion won, in PRTG tokens. This is the simplest failure mode in crypto custody: once a seed phrase is public, control is effectively transferred instantly and irreversibly. The incident is being characterized as a basic data-handling lapse with outsized financial consequences.
Deputy Prime Minister Koo Yun-cheol framed the response as urgent in a statement posted on X, saying authorities would swiftly implement measures to strengthen digital asset security and prevent recurrence. The intent is to show immediate corrective action, because the optics of key leakage by a state agency are reputationally expensive.
A pattern of custody breakdowns, not an isolated mistake
What makes this investigation heavier than a normal incident response is the recent pattern. The text notes that this leak follows two prior custody failures: in 2021, Gangnam police lost control of 22 Bitcoin after using a third-party custodian and failing to secure private keys, and in February 2026, Gwangju prosecutors were phished, exposing access credentials and leading to the temporary loss of 320.8 Bitcoin, later recovered by February 17. Put together, the storyline is consistent: the weak point isn’t “blockchain complexity,” it’s key governance—who holds credentials, how they’re stored, and how staff are trained to treat them.
That’s also why the probe is described as targeting the gap between strict private-sector requirements and looser controls inside public institutions. If the private sector is being held to high bars on custody, auditability, and access control, the state will need comparable standards to avoid being seen as the weakest custodian in the system.
What reforms the probe is pointing toward
Officials signaled the review will run through mid-2026, ahead of the broader 2027 framework, and the text describes likely reform directions: centralized custody arrangements for seized assets, mandatory multi-signature or fragmented-key storage, improved personnel training, and external forensic audits. The common theme is removing “single point of failure” custody and replacing ad hoc handling with repeatable, auditable protocols. That is exactly what public institutions have been criticized for lacking when these incidents come to light.
The attack vectors are familiar and unglamorous: exposed mnemonics, third-party custody risk, and phishing targeted at staff. Restoring confidence will require not just policy announcements but verifiable evidence: consistent accounting of what was stolen, what was recovered, what is frozen, and how chain-of-custody is enforced across agencies. Transparent forensic reporting becomes part of the control environment, not a PR exercise.
The investigation adds immediate pressure for measurable fixes: updated custody procedures, external audits of agency holdings, and documented chain-of-custody processes for seized crypto. The central test is whether public institutions move from reactive incident handling to standardized custody practices that meet the same audit and resilience expectations applied to private custodians.
