South Korea’s National Tax Service has apologized after it leaked passwords to a stash of stolen crypto, which parties unknown used to make off with the digi-cash.
This strange story starts on February 26th when the Tax Service triumphantly announced it had busted 124 high-value tax delinquents and seized ₩8.1 billion ($5.6 million) worth of cash and luxury goods. As is often the case with seizures of this sort, the Tax Service shared photos of its haul with the media.
As the Service explained in its apology, it intended that those photos would “provide more vivid information to the public.” Instead, they provided vivid information to crooks who recognized the photos included a seed phrase – a credential used to recover access to a cryptocurrency wallet if passwords and other means of logging in are lost.
It appears that someone spotted the seed phrase in the Tax Service’s images, because within hours of the agency publicizing its raids, funds drained from one of the crypto wallets its agents seized.
- Korean cops charge teens over bike hire breach that exposed data on 4.62M riders
- South Korea enlists AI to spot pump and dump schemes on social media, or in Spam
- Korean telco failed at femtocell security, exposed customers to snooping and fraud
- Four arrested in South Korea over massive IP camera snooping spree
The stolen tokens – Pre-Retogeum, aka PRTG – were apparently worth $4.8 million, or the majority of the Tax Service’s haul.
The one tiny upside in this whole mess is that the heist was of course recorded on a blockchain, so the Tax Service has asked Korea’s National Police Agency to track down whoever emptied the wallet. Despite blockchain advocates often promoting the tech as a more private way to conduct transactions, law enforcement authorities regularly identify those who conduct cryptocurrency trades so perhaps this will still end in a win for the Tax Service.
The agency is nonetheless suitably contrite, and has promised to strengthen its internal controls to stop exposing credentials in public.
Indeed, its apology states it has already revisited the manual it uses when seizing, storing, and disposing of virtual assets, and will ensure its team is trained on those new procedures. ®
