South Korean authorities arrested two suspects after 22 Bitcoin ($1.5M) were stolen from police custody when a third-party company handed over recovery keys to a hacker, exposing critical failures in digital asset handling procedures.
Two suspects have been arrested in South Korea following the theft of 22 Bitcoin worth approximately $1.5 million from police custody, in what authorities are calling a "bungled procedure" that exposed critical vulnerabilities in how law enforcement handles seized cryptocurrency assets.
The incident came to light during a broader audit triggered by another cryptocurrency theft. In January 2026, 320 Bitcoin went missing from the Gwangju District Prosecutors' Office, prompting the National Police Agency to conduct a comprehensive review of all virtual assets managed by local police departments across the country.
During this audit, investigators discovered that 22 Bitcoin had been stolen from the Gangnam Police Station. What made this theft particularly egregious was that the police believed they still possessed the assets because the physical cold wallet remained in their custody. However, the actual Bitcoin had been transferred months earlier without their knowledge.
According to reports from Dong-A Libo, the virtual asset company that originally held the cold wallet containing the 22 BTC had voluntarily surrendered it to police in 2021 after requesting an investigation into a hacking incident. Police regulations explicitly require authorities to transfer any seized virtual assets to a cold wallet directly under the control of the local station and store it in a separate vault.
However, this critical procedure was not followed. The failure to properly secure the digital assets created an opening for theft that would have gone undetected if not for the parallel investigation into the Gwangju case.
The theft occurred when the company that originally owned the wallet encountered financial difficulties in 2022. An official from the firm allegedly borrowed the equivalent amount from a hacker, claiming they would repay the loan after the police returned the cryptocurrency. In a catastrophic security failure, the company also provided the attacker with the mnemonic seed phrase required to recover the private keys that granted access to the Bitcoin.
With this information, the hacker was able to recover the contents of the cold wallet and transfer the 22 BTC to an unknown destination, all while the physical USB drive remained in police custody. This highlights a fundamental misunderstanding of how cryptocurrency security works – the assets themselves are not stored on the physical device but rather on the blockchain, with the device serving only as a key to access them.
South Korean police guidelines explicitly state that even when a physical hardware wallet is seized during the confiscation of virtual assets, the owner (or a third party) can still move the assets using a recovery key. In this case, the Gangnam Police made the fatal error of not confiscating the recovery code, which was subsequently passed on to the hacker.
This incident is particularly troubling given that South Korean authorities had already published guidelines on handling seized digital assets just two months before the theft occurred. These rules mandated transferring seized cryptocurrency to a cold wallet under the direct control of the investigative agency and storing it in a separate secure location.
The Gangnam Police's failure to follow their own recently established protocols allowed the crime to occur undetected for an extended period. The theft remained hidden until the broader audit revealed the discrepancy between the physical wallet in custody and the actual location of the Bitcoin on the blockchain.
While 22 Bitcoin may seem like a relatively small amount compared to other major cryptocurrency thefts – such as the $30 million Upbit hack in late 2025 or the record $2 billion stolen by North Korean hackers in 2025 – the fact that it was under government control and still stolen represents a significant failure in digital asset security protocols.
The incident underscores the unique challenges law enforcement faces when dealing with cryptocurrency seizures. Unlike physical evidence, which can be secured through traditional means, digital assets require specialized knowledge and procedures to prevent unauthorized access. The Gangnam Police's treatment of the virtual assets as if they were physical evidence – assuming the BTC were actually stored on the USB drive in their possession – demonstrates a fundamental misunderstanding of cryptocurrency technology.
South Korean authorities have arrested two individuals in connection with the theft, though details about the suspects and their specific roles in the crime have not been fully disclosed. The case serves as a cautionary tale for law enforcement agencies worldwide as they grapple with the increasing prevalence of cryptocurrency in criminal activities and the need for specialized protocols to secure these digital assets during investigations.
As cryptocurrency continues to play a larger role in both legitimate commerce and criminal enterprises, the ability of law enforcement to properly secure seized assets will become increasingly critical. This incident in South Korea highlights the urgent need for comprehensive training and strict adherence to established protocols when handling digital assets in police custody.
Comments
Please log in or register to join the discussion