- South Korean prosecutors in Gwangju traced and recovered $22 million in Bitcoin lost from confiscated cold wallets after a phishing incident
- The case led to nationwide audits of seized crypto wallets and ongoing investigations into the phishing site operator and related companies
South Korean prosecutors say they have recovered Bitcoin worth $22 million that had previously gone missing from confiscated wallets, reversing what had become a high-profile embarrassment for law enforcement. The case, centered on officials in the city of Gwangju, had stirred public criticism after authorities disclosed they had lost control of seized cryptocurrency to a phishing operation, with a similar incident later revealed in Seoul. The recovery underscores both the growing exposure of prosecutors to digital asset crime and the operational risks they face in handling crypto evidence.
How South Korean prosecutors lost control of confiscated Bitcoin
The controversy began when the Gwangju District Prosecutors’ Office acknowledged that 320 Bitcoin, held as evidence, were no longer under its control. The coins had been stored in five USB-based cold wallets locked in a secure vault, but an internal check revealed that the funds had vanished. According to officials, the disappearance was first detected on January 16, during a review of the confiscated assets.
The wallets themselves had been seized in November 2021 during an investigation into an alleged illegal online gambling operation. Prosecutors said the devices were taken from the daughter of the main suspect, and that she is also facing criminal charges. The trials of both the suspected operator and his daughter are still underway in Gwangju, meaning the cryptocurrency formed part of active court proceedings when it was drained.
The loss was traced back to an earlier audit process. Prosecution staff had tried to verify the wallet balances during an audit in August 2025, using what they believed was a legitimate online wallet checking service. The platform, however, turned out to be a phishing site designed to capture wallet details and enable its operators to empty connected addresses. By using the tool, staff inadvertently exposed the cold wallets to the phishing operators, who then transferred out all 320 Bitcoin.
Public criticism intensified when, shortly after the Gwangju revelation, police in Seoul disclosed that they too had lost Bitcoin in a similar way. In that case, the amount missing was valued at $2 million. Together, the incidents raised concerns about how securely South Korean prosecutors and police were managing digital assets seized during criminal investigations, particularly when relying on external tools for verification.
Investigative steps and recovery by South Korean prosecutors
Once the missing Bitcoin was discovered, South Korean prosecutors in Gwangju moved to trace the stolen funds. They reported that they were able to “quickly identify” the cryptocurrency wallet used by the operators of the phishing site. With that information, they contacted both domestic exchanges and major trading platforms overseas, requesting that all transactions linked to the suspect wallet be blocked.
These blocking requests formed the backbone of the recovery effort. By isolating the phishing operators’ wallet within the formal exchange system, prosecutors sought to prevent the rapid laundering or liquidation of the stolen Bitcoin. At the same time, they opened a wider investigation into the individual suspected of running the phishing website and into several related companies believed to be connected to the scheme.
The Gwangju District Prosecutors’ Office later announced that they had located $22 million worth of Bitcoin that had been siphoned off from the five confiscated wallets. The figure reflects the value of the 320 Bitcoin at the time of reporting. While authorities did not provide a detailed technical breakdown of the tracking process, they emphasized that coordination with exchanges was central to securing the funds before they could be fully dispersed.
Officials pledged to continue probing the phishing operation to determine the full scope of the crime. A prosecution representative told local newspaper Munhwa Ilbo that their goal was to clarify every detail of the incident through a thorough investigation. The case has spurred questions about procedural safeguards for handling seized digital assets, including the vetting of any online tools used to access or confirm wallet balances.
Rising crypto crime and institutional response in South Korea
The episode involving South Korean prosecutors comes amid a broader rise in crypto-related crime domestically and worldwide. Authorities have reported increasing encounters with schemes involving phishing, hacking, and fraudulent investment platforms, alongside established forms of online gambling and illegal betting that make heavy use of digital currencies.
Alongside financial scams, there are growing concerns about the physical safety of cryptocurrency holders. A security expert recently warned that criminals targeting crypto assets have become more violent, and advised individual holders to understand how to protect themselves as offenders seek to steal tokens through both online and offline means. The Gwangju case, however, highlights a different dimension: the vulnerability of official institutions entrusted with safeguarding seized tokens.
In the aftermath of the revelations from Gwangju and Seoul, justice and law enforcement agencies took internal measures. Prosecution and police offices nationwide were ordered to conduct audits of all cold wallets under their control. The aim was to confirm that no additional holdings of confiscated cryptocurrency had disappeared and to identify any weaknesses in how such wallets are managed, accessed, or checked.
The incident has drawn attention to several operational issues:
- Reliance on unverified third-party tools for wallet checks
- The need for stricter technical protocols when handling cold wallets
- The challenge of preserving evidence in a fast-moving crypto ecosystem
These points have become central to ongoing discussions about how South Korean prosecutors should update procedures to align with the realities of digital asset enforcement.
Conclusion
The recovery of $22 million in Bitcoin by South Korean prosecutors in Gwangju has partly repaired the damage from an incident that exposed major vulnerabilities in official handling of digital evidence. The loss of 320 Bitcoin through a phishing site during an internal audit, followed by a separate $2 million loss in Seoul, underscored the operational risks surrounding confiscated cryptocurrencies. By tracing the phishing operators’ wallet and coordinating with both domestic and international exchanges to block related transactions, prosecutors managed to locate the missing funds and advance a broader investigation into the suspects behind the scheme.
Ongoing trials involving the alleged operator of an illegal online gambling site and his daughter, from whom the cold wallets were originally seized, continue in parallel. Nationwide audits of cold wallets and renewed scrutiny of technical procedures indicate that agencies are moving to tighten controls. Against the backdrop of rising crypto-related crime and escalating threats to both institutions and individuals, the case has become a focal point for how South Korea’s justice system adapts to the demands of the digital asset era.
Disclaimer
The information provided in this article is for informational purposes only and should not be considered financial advice. The article does not offer sufficient information to make investment decisions, nor does it constitute an offer, recommendation, or solicitation to buy or sell any financial instrument. The content is opinion of the author and does not reflect any view or suggestion or any kind of advise from CryptoNewsBytes.com. The author declares he does not hold any of the above mentioned tokens or received any incentive from any company.
Featured image created by AI
