South Korean police have arrested two individuals suspected of embezzling 22 Bitcoins from police custody. According to Dong-A Libo [machine translated], a virtual asset company voluntarily surrendered the cold wallet containing the crypto back in 2021 when they requested the police to investigate a hacking incident. Police regulations require the authorities to move any seized virtual asset to a cold wallet directly under the control of the local station and stored in a separate vault, but it seems that this wasn’t followed in this case. In fact, the bungled procedure (and ensuing crime it allowed) wouldn’t have been discovered if it weren’t for another case of stolen Bitcoin.
In January 2026, 320 Bitcoin went missing from the Gwangju District Prosecutors’ Office, leading the National Police Agency to conduct an audit on all the virtual assets managed by local police. This led to the discovery of the 22 BTC theft at Gangnam Police Station, which, according to The Chosun Daily, the authorities thought they still had because the cold wallet was still in their custody.
However, it’s been alleged that the company that originally owned the wallet containing the 22 BTC ran into financial trouble sometime in 2022. An official from the firm claimed that it borrowed the same amount from a hacker, telling them that they’d repay the loan after the police returned the crypto. However, they also gave the attacker the mnemonic seed phrase that would allow them to recover the private keys that gave access to the Bitcoin. With this information, the hacker was able to recover the contents of the cold wallet and then transfer the 22 BTC wherever they pleased, right under the nose of the police.
22 Bitcoin, which is more than 2 billion KRW or around US$1.5 million at current exchange rates, seems to be a trivial amount, especially when compared to other instances of cryptocurrency theft, like the $30 million Upbit hack in late 2025 and the record $2 billion that North Korean hackers stole last year. But the fact that it was under the control of the government showed clear lapses on its part. The Gangnam Police treated the virtual assets like physical evidence, assuming that the BTC were actually stored in the USB drive in their possession. As Korea's own police guidelines note, even if a physical hard wallet is seized during the course of confiscating virtual assets, the owner (or a nefarious third party) can still move the assets using a recovery key. In this instance, the police made a fatal error by not also confiscating the recovery code, which was then passed on to the hacker
The South Korean authorities have already released guidelines on how to handle seized digital assets, including transferring them to a cold wallet under the control of the investigative agency and stored in a separate safe. In fact, these rules had already been published just two months before the incident. Unfortunately, the Gangnam Police failed to follow them, allowing the crime to take place without them realizing it until much, much later.
Follow Tom's Hardware on Google News, or add us as a preferred source, to get our latest news, analysis, & reviews in your feeds.
