$1.5 million. That is what South Korean authorities say vanished from police evidence storage at the Gangnam Police Station in Seoul, and the audacity of the theft is matched only by the recklessness of the custody arrangement that made it possible. The physical cold wallet never left the building. The Bitcoin did.
Two men in their 40s, both reportedly linked to the A Coin Foundation, were arrested on 25 February 2026 by the Gyeonggi Northern Provincial Police Agency. The agency charged them with violating the Information and Communications Network Act for allegedly "leaking" the coins from a device held at the Gangnam Police Station. The 22 Bitcoin involved, valued at roughly 2.1 billion won (about $1.5 million) at current market prices, had been sitting undetected in police custody for years.
The coins were secured in November 2021 during an investigation into a computer fraud case. The stolen Bitcoin stash was stored in a wallet provided by a plaintiff in a hacking case, rather than a police-controlled device. That single procedural failure created the gap through which everything else fell. As Korea's own police guidelines note, even if a physical hard wallet is seized during the confiscation of virtual assets, the owner or a nefarious third party can still move the assets using a recovery key. In this instance, the police made a fatal error by not also confiscating the recovery code, which was then passed on to the hacker.
Here's the thing: the Gangnam officers were not operating in a policy vacuum. South Korean authorities had already released guidelines on how to handle seized digital assets, including transferring them to a cold wallet under the control of the investigative agency and stored in a separate safe. These rules had been published just two months before the incident. Unfortunately, the Gangnam Police failed to follow them, allowing the crime to take place without their realising it until much later.
The case also carries the distinct smell of corruption. A member of the original hacking investigation team was "indicted on bribery charges" last year, and the third-party firm in question "reportedly offered bribes in exchange for ensuring the investigation proceeded in their favour." The original detective in charge of the 2021 A Coin hacking case at Gangnam Police Station, a former senior superintendent identified only as D, is currently serving a prison sentence. What began as a victim reporting a hack has, over time, revealed itself as something far more tangled.
The theft would likely have remained undetected indefinitely had it not been for a separate, even larger scandal. In January 2026, 320 Bitcoin went missing from the Gwangju District Prosecutors' Office, leading the National Police Agency to conduct an audit on all virtual assets managed by local police. That audit, triggered by what was already an embarrassing institutional failure, is what exposed the Gangnam shortfall. The authorities thought they still had the coins because the cold wallet was still in their custody. They had the box. Someone else had the key.
The Gwangju case is worth pausing on, because it illustrates just how systemic the problem is. The theft originally happened back in August 2025 when prosecutors fell victim to a phishing attack during their routine custody verification procedures. A staff member apparently accessed a fake website designed to look like a legitimate crypto management platform, and unknowingly exposed the wallet's seed phrases to attackers who drained the 320 BTC shortly after. In an almost improbable twist, the Gwangju Bitcoin was eventually recovered after exchanges froze the relevant wallets, with prosecutors suggesting "the hacker appears to have returned all Bitcoin voluntarily due to concerns about being unable to liquidate it."
Defenders of the agencies involved will point to genuine complexity. Cryptocurrency custody is a technically specialised field, and law enforcement institutions worldwide have been forced to adapt rapidly to evidence types their procedures were never designed to handle. Physical evidence, from drugs to cash to firearms, follows a chain-of-custody model developed over decades. A USB cold wallet looks identical to physical property. The difference, as these cases grimly illustrate, is that physical evidence cannot be drained remotely by someone who memorised a twelve-word recovery phrase years earlier.
Advocates for more robust digital asset regulation would note that the Financial Stability Board and bodies like the Financial Action Task Force have been pressing governments for years to formalise cryptocurrency custody standards. South Korea has been more active than most in regulating digital assets, but these cases suggest that good policy written at the national level does not automatically translate into sound practice at the station level.
The proposed fixes are, at least, sensible. New protocols to be introduced will include assigning dual custodians for wallets and sealing both hardware and recovery phrases, with plans to entrust assets to specialised custodians within the year. These are not radical ideas; they are standard practice in institutional finance. The question is why it took a string of public failures to get there.
The broader lesson is not one that belongs exclusively to South Korea. In Australia, Australian Federal Police and state agencies have been seizing cryptocurrency as evidence for several years. The question of how, exactly, those assets are stored and who holds the recovery credentials is one that deserves public scrutiny before a similar audit surfaces a similar gap. Institutional accountability does not happen by accident; it requires regular, independent review of precisely the procedures that seem most routine.
Two people face charges in Seoul. One former detective is already in prison. Millions of dollars in public-interest evidence remain unrecovered. The cold wallet sat in its evidence locker the entire time, a perfect illusion of control. The Gangnam case is a reminder that in an age of digital assets, custody is not about where you keep the hardware. It is about who knows the password.