South Korean investigators arrested two people after a procedural breakdown at Gangnam Police Station led to the disappearance of 22 Bitcoin, reported at roughly $1.4 million–$1.8 million in value. The core failure wasn’t market volatility or “hack sophistication,” it was basic custody control: authorities lost unilateral access to seized funds. The Gyeonggi Northern Provincial Police Agency confirmed the arrests after a nationwide audit surfaced the gap and pointed to weaknesses in how seized cryptocurrency was stored and governed.
The Bitcoin was seized in November 2021 in connection with the “A Coin Foundation” hacking case, but reporting says it was moved to a third-party cold wallet rather than a police-controlled cold wallet. Once the police failed to retain the seed phrase, they effectively handed away the one thing that matters in crypto custody: recovery credentials. Transfers believed to have occurred in 2022 went unnoticed for roughly four years, which turns this into a story about controls and oversight as much as alleged misconduct.
How custody broke down and why physical control wasn’t enough
Reporting describes a clear breach of standard evidence handling for digital assets. The confiscated Bitcoin was kept in a cold wallet managed by an external company, and the police did not retain the wallet’s recovery seed. Even if the device sat inside an evidence vault, control of the seed phrase meant control of the funds—so “locked hardware” did not equal “secured assets.” That mismatch is exactly how on-chain assets can disappear without anyone “breaking into” a physical room.
An official at the third-party company allegedly passed the seed phrase to an individual identified as “Mr. Jeong” under a loan arrangement, enabling restoration of the wallet and outbound transfers. The detail that the hardware remained physically stored while the credentials traveled is the operational red flag: credentials are the asset. Some reporting also points to the alleged involvement of a “crypto CEO” who restored the wallet using recovery credentials and embezzled the funds, reinforcing the same theme—once recovery material leaves the custody perimeter, the perimeter is gone.
The loss only came to light after a separate incident—the disappearance of 320 Bitcoin from the Gwangju District Prosecutors’ Office—triggered a nationwide audit. What ultimately exposed the problem wasn’t routine reconciliation; it was a bigger failure elsewhere that forced the system to look. The same reporting also notes that a former investigator tied to the original hacked-exchange probe was sentenced in August 2025 to 18 months in prison for accepting bribes linked to that case, adding context about governance fragility around the broader matter.
The operational lesson for custodians, compliance teams, and evidence handlers
The incident highlights a cluster of preventable custody risks: loss of seed control, informal third-party arrangements, weak record retention, and delayed discovery due to inadequate audits. In institutional terms, this is what happens when policy says “controlled custody,” but execution relies on informal trust and incomplete credential governance. For treasuries and custodial operators, the uncomfortable takeaway is that on-chain traceability does not protect you if the private-key lifecycle is unmanaged.
The practical controls implied by the episode are simple but non-negotiable. Law enforcement must maintain exclusive control over recovery credentials for seized assets, and custody must be designed so third parties cannot unilaterally restore or move funds. Segregated custody needs to cover credentials and access logs, not just physical storage of devices. And audits have to be regular and independent, reconciling on-chain balances against evidence inventories so discrepancies surface quickly rather than years later.
The Gyeonggi Northern Provincial Police Agency said it is continuing its investigation to determine the full scope and attribution. For market participants, the broader impact is reputational and supervisory: cases like this tend to accelerate demand for enforceable custody standards and faster reconciliation routines for seized or escrowed crypto. Institutions that handle held assets—whether as custodians, trustees, or payment operators—will likely face more pressure to demonstrate that their controls prevent exactly this kind of credential leakage.
