- South Korea’s National Tax Service unintentionally revealed handwritten seed phrases in an official press release.
- A still-unidentified user briefly moved $4.8 million in illiquid PRTG tokens from three wallets holding 40% of the supply.
- The tokens were later returned, likely due to the extremely low liquidity and limited trading options of PRTG.
- The case adds to a series of recent crypto-related missteps by South Korean authorities, raising concerns about digital asset custody practices.
One of the most basic safety rules in crypto is simple: never share your seed phrase with anyone, under any circumstances. That short list of 12 or 24 words is effectively the master key to a wallet’s private keys and gives full control over any digital assets stored there.
In South Korea, the National Tax Service (NTS) has unintentionally become a textbook example of what can go wrong when this rule is broken. The agency published a press release that included a photo of handwritten seed phrases, a lapse that opened the door for an unknown actor to briefly move tokens nominally valued at $4.8 million, according to a report from local outlet Maeli Business Newspaper. The tokens, which belong to a thinly traded cryptocurrency, were later sent back.
How a Tax Enforcement Operation Turned Into a Crypto Incident
The episode began as a routine high-value tax enforcement action. The NTS had conducted a search and seizure targeting taxpayers with significant outstanding debts, confiscating a range of assets in the process. Among the items seized were multiple hardware wallets, reportedly Ledger devices, along with accompanying documentation.
After wrapping up the operation, the tax service prepared an official press release to highlight its efforts. To illustrate the success of the seizure, officials photographed part of the recovered material and attached the images to the communication sent to the media. One specific lot, labeled as “Case 3” in the documentation, showed several Ledger hardware wallets placed next to handwritten seed phrases meant to back up those devices.
This image, which should never have been made public, effectively exposed the full recovery phrases tied to at least three wallets. As professor Cho Jae-woo from Hansung University put it, sharing those seed phrases was comparable to publicly inviting anyone to open the wallets and empty the funds. The situation turned from a simple procedural slip to a real security breach as soon as the press release circulated.
According to the local reporting, the photograph revealed enough information for a technically savvy observer to reconstruct the recovery phrases. From there, restoring the seized wallets on a new device or software wallet and moving the funds would have been a straightforward task for anyone with basic knowledge of crypto wallet operations.
Funds Moved to an Ethereum Address Ending in 86c12
Not long after the press release appeared, someone decided to act on that opportunity. Blockchain data shows that an unidentified individual accessed at least three wallets associated with the exposed phrases and transferred their contents to a new Ethereum address whose identifier ends in “86c12”.
The on-chain records indicate that three separate addresses, all tied to the same token, were suddenly revived after a long period of inactivity. Each of these wallets received a small amount of ETH first, just enough to cover gas fees for outgoing transactions. Once that minimal funding was in place, the wallets sent their entire balances of Pre-Retogeum (PRTG) tokens to the “86c12” address.
In total, the three addresses held around 4 million PRTG tokens. Based on the token’s quoted market price at the time of the incident, this stash had a nominal value of roughly $4.8 million. The move effectively consolidated about 40% of the entire PRTG supply into the single receiving address, given that the token has a relatively small circulating base.
These wallets had been completely dormant since January 2023, registering no prior movement over more than a year. That long silence, combined with the sudden, coordinated transfers following the NTS disclosure, strongly suggests a direct link between the published seed phrases and the unauthorized access to the funds.
While the identity of the person behind the “86c12” address remains unknown, the pattern of activity resembles that of someone testing access and control over newly discovered wallets. The rapid consolidation of tokens and careful use of minimal ETH strictly for gas costs point to a deliberate, targeted action rather than random network activity.
PRTG: High Nominal Value, Extremely Thin Liquidity
The apparent jackpot of $4.8 million in PRTG tokens looks far less impressive when viewed through the lens of actual market depth and trading conditions. Pre-Retogeum (PRTG) is an Ethereum-based token with very low activity and limited traction among traders.
According to the reporting based on CoinGecko and exchange data, PRTG has relatively few holders, around 1,500 addresses in total, and has only recorded about 1,600 transfers across its entire on-chain history. That combination of low holder count and minimal transaction volume signals a market with shallow liquidity and limited real demand.
In practice, this means that even though the nominal value of the seized tokens reached into the millions, converting that amount into cash or a stable cryptocurrency would have been extremely challenging. The token does not have trading pairs available on decentralized exchanges and is listed on just one centralized platform, MEXC.
On that exchange, PRTG’s trading volume over a 24-hour period was reported at only about $332. With such low turnover, any attempt to sell large quantities would almost immediately collapse the price. Liquidity metrics for the PRTG-USDT pair indicated that a sale of roughly $59 worth of tokens could push the token’s price down by around 2%, highlighting just how fragile the market is.
For comparison, CoinGecko data suggests that on the same platform, moving the price of Bitcoin down by 2% would require a sell order of about $2.6 million. The contrast underlines how thin the PRTG market really is and helps explain why the person who initially moved the tokens may have reconsidered their actions.
Why the Tokens Were Sent Back
Roughly 20 hours after the first transfers, the situation took another unexpected turn. A new address associated with the original “86c12” destination began sending all of the PRTG tokens back to the three wallets from which they had initially been taken.
This reversal left observers with more questions than answers. On the one hand, the quick return may have been an attempt to avoid legal consequences, given that the movement of funds clearly followed a government mistake and could attract intense scrutiny from law enforcement. On the other hand, the extremely low liquidity of PRTG likely played a role in the decision to backtrack.
With such thin markets, it is unlikely that the person behind the transfers could have cashed out even a small fraction of the nominal $4.8 million without tanking the price. Any visible effort to offload that volume on MEXC, the only listed market, would almost certainly have drawn immediate attention and rapidly wiped out potential gains.
By returning the tokens, the actor appears to have recognized that taking advantage of the exposed seed phrases was not worth the legal and reputational risk, especially for an asset that might be nearly impossible to monetize at scale. The gesture also spared the NTS from an even more embarrassing outcome, even though the original mistake remains difficult to justify.
The case underscores a key point for regulators and law enforcement agencies: custodying crypto assets requires more than simply seizing hardware wallets. Proper handling of backup phrases, secure storage of sensitive data and strict review of any public communications are essential to avoid exposing seized funds to opportunistic third parties.
Part of a Wider Pattern of Crypto Mishaps in South Korea
This incident is not an isolated case but rather the latest in a growing list of crypto-related stumbles by South Korean authorities. Earlier reports this week revealed that $1.4 million worth of Bitcoin effectively vanished four years ago due to improper handling of seized digital assets.
In that earlier episode, police reportedly failed to adhere to established protocols for cryptocurrency custody, leading to a situation where funds were no longer properly accounted for. The details of the loss have raised concerns about training, internal oversight and the technical capacity of agencies tasked with managing digital asset seizures.
Regulators in the country have also come under fire for their supervision of local exchanges. South Korean authorities have faced strong criticism for not detecting an internal glitch in the systems of Bithumb, one of the country’s prominent crypto trading platforms.
That internal error resulted in Bithumb mistakenly distributing the equivalent of $43 billion in Bitcoin to users, instead of transferring small amounts of South Korean won as intended. Although the incident did not reflect a malicious hack, it highlighted weaknesses in monitoring and control processes, as well as the potential fallout when crypto infrastructure fails at scale.
Taken together, the seed phrase leak by the National Tax Service, the unaccounted-for Bitcoin held by police and the Bithumb miscalculation paint a picture of institutions still adapting to the demands of the crypto era. Technical complexity, combined with the irreversible nature of blockchain transactions, leaves little room for error.
For citizens and taxpayers, these episodes raise legitimate questions about whether public agencies are fully prepared to handle the responsibilities that come with seizing, storing and managing digital assets. As the country moves to implement stricter rules and surveillance around crypto trading and taxation, the pressure on regulators to tighten their own internal practices is only likely to grow.
Overall, the NTS seed phrase leak serves as a cautionary tale on multiple levels: it illustrates how a single image in a press release can compromise millions in tokens, shows the limits of nominal valuations in illiquid markets and highlights ongoing gaps in public-sector crypto expertise. The episode may ultimately accelerate internal reforms and force agencies to rethink how they document, communicate and safeguard the digital assets they touch, if only to avoid repeating the same mistakes under even less forgiving circumstances.
