South Korean prosecutors from the Gwangju District Prosecutors’ Office recovered approximately 320.88 Bitcoin (BTC)—valued at around $21-21.4 million at the time—after an unknown hacker voluntarily returned the stolen funds.
The Bitcoin was stolen in August 2025 when investigators accidentally entered their wallet recovery seed phrases or sensitive credentials into a phishing website during an ongoing probe. The funds were seized cryptocurrency from a prior raid; linked to a gambling platform investigation.
Prosecutors only noticed the disappearance during a routine check in late 2025 around December/January. On or around February 17, 2026, the hacker transferred the full amount (320.8+ BTC) back to an official wallet controlled by the authorities. The funds were then moved to a secure wallet at a domestic cryptocurrency exchange for safekeeping.
Authorities quickly tracked the stolen wallet’s activity and coordinated with centralized exchanges to freeze or block transactions linked to those funds. This made it extremely difficult or impossible for the hacker to liquidate or move the Bitcoin without detection, reportedly pressuring them to return it rather than risk permanent loss or further tracing.
Register for Tekedia Mini-MBA edition 19 (Feb 9 – May 2, 2026).
Register for Tekedia AI in Business Masterclass.
Join Tekedia Capital Syndicate and co-invest in great global startups.
Register for Tekedia AI Lab.
No arrests have been made, and the hacker’s identity remains unknown. Prosecutors continue their investigation, but the full recovery is being hailed as an unusual and positive outcome in a crypto theft case.
This incident highlights ongoing challenges with secure handling of seized crypto assets by law enforcement, but also shows how blockchain transparency and rapid exchange cooperation can limit a thief’s options.
The return of 320.88 BTC ($21–21.4 million) by an unidentified hacker to South Korean prosecutors is an exceptionally rare event in cryptocurrency theft history. Most stolen crypto is laundered, mixed, or spent rather than voluntarily returned, making this case stand out with several key implications across security, law enforcement, regulation, and the broader crypto ecosystem.
The primary reason cited for the return is that prosecutors quickly coordinated with domestic and international centralized exchanges to freeze transactions linked to the stolen wallet addresses. This made it nearly impossible for the hacker to cash out or launder the funds without triggering alerts, KYC flags, or permanent blacklisting.
Large-scale thefts are becoming harder to profit from. Criminals face a stark choice: hold unusable (“tainted”) assets indefinitely or return them to avoid total loss. This shifts the economics of crypto crime toward lower expected returns, potentially deterring future opportunistic attacks especially non-state actors.
The original theft stemmed from investigators accidentally entering sensitive credentials (seed phrases or recovery info) into a phishing site during an ongoing probe—classic social engineering, not a sophisticated exploit. This follows other recent South Korean incidents, like separate police losses of seized BTC from “secure” wallets.
Even government/law enforcement agencies handling seized crypto remain highly vulnerable to basic phishing and operational security (OpSec) failures. It underscores the urgent need for: Multi-party computation (MPC) wallets. Hardware security modules (HSMs). Strict air-gapped processes. Mandatory phishing-resistant training and verification protocols.
Crypto’s irreversibility cuts both ways—once compromised, recovery is rare without external pressure like this case. No arrests have occurred, and the hacker’s identity is still unknown—yet the full amount was recovered.
This contrasts with typical outcomes where funds are lost forever or recovered only after lengthy blockchain analysis and legal pressure. It shows that proactive freezing/blocking can force voluntary surrender in some scenarios, offering a blueprint for other jurisdictions.
However, it also highlights limitations: without identifying the perpetrator, deterrence remains incomplete, and similar attacks could recur if the root cause (poor handling procedures) isn’t fixed. The funds never hit open markets (they moved directly back to authorities ? secure exchange wallet), so no selling pressure or volatility spike occurred.
Reinforces the narrative that improved tracing, freezing mechanisms, and institutional adoption of analytics tools like Chainalysis, Elliptic are squeezing cybercriminals. In a year with record-high thefts often linked to state actors like North Korea’s Lazarus Group stealing billions, this small but complete recovery is a counter-example that shows defensive progress is possible.
The case arrives amid heightened scrutiny of crypto custody practices, following incidents like major exchange errors and other police wallet compromises. It may accelerate calls for stricter guidelines on how South Korean authorities and exchanges handle seized digital assets. Expect renewed focus on: Standardized custody protocols, independent audits and possibly new legislation to prevent similar lapses
It also fuels ongoing debates about balancing crypto’s pseudonymity with the ability of authorities/exchanges to intervene in illicit flows. While embarrassing for the prosecutors, the outcome is a net win: full recovery of public funds, zero market disruption, and a demonstration that coordinated, rapid response can sometimes turn theft into restitution.
It doesn’t eliminate crypto crime risks, but it narrows the window for profitable exploitation—especially for smaller, non-state hackers. The investigation continues, so more details or an eventual arrest could emerge.