South Korean Prosecutors Recover Stolen Bitcoin After Phishing Attack
Gwangju District Prosecutors’ Office has successfully recovered approximately 31.8 billion won (roughly $23.5 million USD as of February 19, 2026) worth of Bitcoin that was stolen last year due to a phishing attack. The recovery, completed on February 17, 2026, came after the perpetrators voluntarily returned the cryptocurrency, reportedly feeling pressured by the ongoing investigation.
The Phishing Incident and Initial Loss
The incident came to light in August 2025, when investigators discovered that Bitcoin seized during a criminal investigation was missing. The loss occurred after investigators accessed a fraudulent Bitcoin e-wallet site, leading to the compromise of their wallet information [Chosun]. The stolen Bitcoin had been confiscated as proceeds from an illegal overseas gambling site, originally seized in November 2021 during a search of the daughter of the site operator.
Recovery Efforts and Hacker’s Motive
Following the discovery of the theft, the Gwangju District Prosecutors’ Office issued warrants and official requests to approximately 50 domestic and foreign virtual asset exchanges, requesting them to freeze any accounts receiving funds from the compromised wallet and to prevent any cashing out of the stolen Bitcoin [Chosun]. The stolen coins were initially held in an electronic wallet with an unknown owner, and no attempts were made to immediately liquidate them.
Prosecutors believe the hackers returned the Bitcoin on Lunar New Year’s Day, February 17th, due to concerns about being tracked via their IP addresses and email accounts, and to potentially mitigate sentencing during future legal proceedings [Chosun].
Broader Concerns and Security Weaknesses
This incident has highlighted vulnerabilities in how South Korean law enforcement agencies manage seized virtual assets. Initially, the Supreme Prosecutors’ Office considered storing confiscated cryptocurrency in a dedicated wallet under the office’s name, but abandoned the idea due to fears of becoming a hacking target. Currently, agencies primarily rely on changing passwords for electronic wallets, a method that is proving insufficient.
Experts point out that a “master key” can bypass password protection, potentially allowing criminal gangs to steal confiscated assets if multiple members possess keys. Solutions such as entrusting virtual assets to exchanges or specialized trust agencies are being proposed to enhance security.
Related Incident at Gangnam Police Station
The Gwangju case is not isolated. The Gangnam Police Station in Seoul recently reported the loss of 22 Bitcoins, worth approximately 2.1 billion won (roughly $1.57 million USD as of February 19, 2026), seized during a 2021 investigation [MK]. The Bitcoin disappeared from a “cold wallet” (offline electronic wallet) despite the physical device remaining secure.
Ongoing Investigations
The Gwangju Prosecutor’s Office is currently investigating five investigators involved in managing the confiscated Bitcoin, exploring possibilities ranging from simple negligence to potential collusion with the phishing group. The office is pursuing the phishing case independently of the recovered funds [Chosun]. The National Police Agency is also reviewing the virtual asset management practices of police stations nationwide [MK].
Keep reading