A major security and oversight scandal has erupted within the U.S. government’s cryptocurrency management system. Renowned blockchain investigator ZachXBT has publicly alleged that an individual named John Daghita, son of a federal contractor executive, is responsible for the theft of at least $40 million from U.S. Marshals Service-seized crypto wallets.
The targeted assets were linked to high-profile cases like the 2016 Bitfinex hack, and the alleged perpetrator’s father, Dean Daghita, is president of Command Services & Support (CMDSS)—a firm holding a lucrative 2024 contract to manage such seized assets. This case raises profound questions about insider risk, contractor vetting, and the U.S. government’s competency in securing billions in digital assets, potentially triggering calls for a complete overhaul of its crypto custody protocols.
The Unraveling: How a “Band-for-Band” Brag Exposed a Heist
The path to this stunning revelation was as unconventional as the crime itself. It began not with a formal audit or a government whistleblower, but within the shadowy corners of a Telegram group chat, where cybercriminals sometimes engage in “band-for-band” disputes—public boast-offs to prove who controls more illicit wealth. During one such recorded argument, an individual using the alias “Lick” attempted to establish dominance by screen-sharing a crypto wallet holding millions. This digital peacocking provided the crucial, unguarded evidence that blockchain sleuth ZachXBT needed to begin his forensic work.
ZachXBT meticulously traced the publicly visible transactions from the wallets flaunted by “Lick.” The digital breadcrumbs led backwards through a complex maze of blockchain addresses, ultimately converging on a critical point: a direct, multimillion-dollar inflow from a wallet identified as belonging to the U.S. government. This specific government wallet was known to hold a portion of the cryptocurrency seized from the perpetrators of the 2016 Bitfinex exchange hack. By correlating transaction timestamps, amounts, and the subsequent rapid consolidation of funds, ZachXBT built a compelling public ledger trail suggesting that “Lick” had illicitly accessed and drained government-controlled assets. The investigator then linked the online persona “Lick” to a real-world identity: John Daghita.
Following the Digital Trail: Key Data Points in the Alleged Theft
- The Catalyst: A Telegram “band-for-band” argument leads to the screen-sharing of an Exodus wallet containing ~$2.3 million in TRON (TRX).
- Live Consolidation: During the dispute, an additional $6.7 million in Ethereum (ETH) is moved live into a connected wallet, bringing the visible total to roughly $23 million in one address.
- Source of Funds: Forensic tracing links this consolidated wallet to an address that received** $24.9 million from a known U.S. government seizure wallet in **March 2024.
- Known Government Wallet: The sending address is part of the cache of assets seized by the U.S. government from the** **2016 Bitfinex hack.
- Prior Incident: ZachXBT had previously flagged unusual activity from this same government wallet cluster in October 2024, when approximately** $20 million was briefly drained and mostly returned, with about **$700,000 permanently lost through instant exchanges.
- Total Under Investigation: The alleged activities of John Daghita (“Lick”) are now connected to a broader pattern involving over** **$90 million in suspected stolen cryptocurrency across 2024 and 2025.
The Contractor Connection: CMDSS and a Controversial Government Contract
The plot thickened exponentially when ZachXBT uncovered the familial connection between the alleged thief and the very system he was accused of plundering. John Daghita was identified as the son of Dean Daghita, the president and founder of Command Services & Support (CMDSS), a Haymarket, Virginia-based IT and consulting firm. This was not just any family business; in October 2024, CMDSS was awarded a significant contract by the U.S. Marshals Service (USMS) to assist with the “management and disposal” of seized “Class 2-4” cryptocurrencies—a category that includes a vast array of altcoins and tokens not supported by mainstream exchanges.
The awarding of this contract was itself mired in controversy. CMDSS outbid several competitors, including the more crypto-specialized firm Wave Digital Assets. Wave subsequently filed a formal protest with the Government Accountability Office (GAO), alleging that CMDSS lacked necessary financial regulatory licenses and raised a red flag regarding a potential conflict of interest. Wave’s protest pointed to CMDSS’s employment of a former U.S. Marshals Service official who may have had access to non-public information relevant to the contract bidding process. Despite these serious allegations, the GAO denied the protest, concluding the USMS’s evaluation process was “reasonable.” This pre-existing scrutiny now casts a long shadow over the procurement process, suggesting warning signs may have been overlooked in favor of a contractor whose internal controls appear to have been catastrophically breached.
A System Under Strain: The U.S. Government’s Crypto Custody Challenge
The alleged theft exposes systemic vulnerabilities that extend far beyond a single contractor or individual. The U.S. Marshals Service, tasked with liquidating billions of dollars worth of seized bitcoin and other cryptocurrencies from cases like Silk Road, Bitfinex, and FTX, has long struggled with the technical complexities of the asset class. A February 2025 report from CoinDesk revealed an alarming lack of basic inventory controls, noting that the agency could not provide a clear estimate of its total bitcoin holdings and had historically relied on error-prone spreadsheets for tracking.
This case highlights the critical difference between** seizing cryptocurrency and **securely managing it over time. Seizing assets involves obtaining private keys or court orders to freeze exchange accounts. However, ongoing custody requires enterprise-grade security protocols, multi-signature wallet setups, rigorous access controls, and continuous auditing—capabilities that appear to be lacking. The reliance on third-party contractors like CMDSS introduces a “trusted insider” risk vector. If individuals with familial or close personal ties to contractors can gain access, even indirectly, to the sensitive information or assets, the entire custody chain is compromised. It suggests that government agencies may be applying traditional physical asset custody frameworks to a digital environment that demands a fundamentally different, and far more stringent, security paradigm.
The Fallout and the Cover-Up: Digital Scrub and Lingering Questions
In the wake of ZachXBT’s public investigation, a frantic effort to obscure the digital paper trail appears to have commenced. Shortly after the allegations gained traction online, CMDSS executed a near-total digital scrubbing of its public presence. The company’s official account on X (formerly Twitter) was deleted. Its LinkedIn profile, which would have listed leadership and employee details, vanished. Crucially, the CMDSS corporate website was stripped of all information regarding its team, leadership bios, and corporate history, leaving only generic service descriptions—a classic maneuver to distance a brand from a burgeoning scandal.
Simultaneously, John Daghita (“Lick”) took steps to cover his own tracks. He reportedly removed NFT-based username identifiers from his Telegram account and changed his screen name, attempting to break the direct link between his online persona and the evidence presented. However, in the blockchain world, on-chain transactions are immutable. While social media profiles can be deleted, the movement of $40 million in cryptocurrency is permanently etched onto public ledgers, providing investigators with an incontrovertible financial timeline. These reactive attempts at obfuscation, rather than projecting innocence, often signal a consciousness of guilt and have further intensified scrutiny from both the public and, presumably, federal law enforcement agencies now compelled to investigate.
Insider Risk: The Human Vulnerability in Cryptographic Security
At its core, this alleged heist is not a story of a hacker exploiting a software bug or a cryptographic weakness in Bitcoin’s code. It is a textbook case of *insider risk*—the most persistent and difficult-to-defend-against threat in both traditional and digital finance. The breach likely did not require sophisticated code-breaking; it may have involved something as simple as unauthorized access to a private key, a seed phrase, or administrative credentials through familial proximity. This underscores a painful truth for the crypto industry and government regulators alike: the most advanced multi-signature vault or hardware security module (HSM) is only as secure as the humans who have access to it.
The case draws uncomfortable parallels to other major crypto thefts where the breach came from within, such as exchange employees or compromised executives. It demonstrates that when vast sums are managed, protocols must be designed with the assumption that insider threats exist. This includes stringent background checks for all personnel with any potential access (including family members of key employees), robust separation-of-duty rules, mandatory multi-party approval for any asset movement, and continuous, real-time auditing by independent third parties. The U.S. Marshals Service’s apparent failure to mandate or enforce such standards for its contractors represents a catastrophic governance failure.
The Path Forward: Demands for Audit, Transparency, and Reform
The immediate aftermath of this scandal will be defined by demands for accountability and systemic change. Lawmakers on Capitol Hill, particularly those on financial services and oversight committees, are likely to call for hearings. The first and most urgent demand will be for a full, independent, and public audit of** **all cryptocurrency holdings managed by or on behalf of the U.S. government. This audit must trace the provenance and current status of every significant asset seized, from the early Silk Road bitcoin to the latest FTX-related altcoins.
Furthermore, there will be intense pressure to reform the entire contracting process for government crypto custody and liquidation. Expect proposals for new legislation that mandates:
- Stringent Contractor Requirements: Mandatory cybersecurity certifications, proof of institutional-grade custody infrastructure, and strict conflict-of-interest disclosures for all bidders.
- Real-Time Transparency: The implementation of publicly viewable, but non-spendable, government wallet addresses where major holdings are stored, allowing for crowdsourced oversight by investigators like ZachXBT.
- Professionalization of Custody: Moving management away from general IT contractors and towards specialized, regulated digital asset custodians who make security their core business.
The scandal may ultimately accelerate the government’s adoption of more transparent and verifiable on-chain treasury management practices, ironically using blockchain’s own transparency to secure its assets.
FAQ
Q1: Who is alleged to have stolen the government’s cryptocurrency?
A1: Blockchain investigator ZachXBT has alleged that an individual named John Daghita, who used the online alias “Lick,” is responsible for the theft. The investigation suggests he siphoned at least $40 million from wallets containing assets seized by the U.S. Marshals Service.
Q2: What is the connection to a U.S. government contractor?
A2: John Daghita is the son of Dean Daghita, the president of Command Services & Support (CMDSS). CMDSS was awarded a contract in October 2024 by the U.S. Marshals Service to help manage and sell off seized cryptocurrencies, placing the alleged thief’s father in a position of trust over the very assets that were stolen.
Q3: How was the theft discovered?
A3: The initial clue emerged from a “band-for-band” bragging argument in a Telegram chat, where “Lick” screen-shared wallets containing millions. Investigator ZachXBT traced the funds in those wallets back to transactions originating from known U.S. government seizure addresses.
Q4: What happened to the stolen funds?
A4: According to the traced blockchain data, at least $23 million was consolidated into a single wallet during the Telegram argument. The funds have since been moved through various addresses in an attempt to launder them. A previous, similar incident in October 2024 saw most of a $20 million drain returned within a day, but $700,000 was permanently lost via instant exchanges.
Q5: What does this mean for the U.S. government’s management of crypto assets?
A5: This case exposes severe vulnerabilities and a lack of sophisticated custody controls within government agencies. It highlights critical insider risks and inadequate contractor oversight. The scandal will likely trigger congressional scrutiny, demands for a full audit of all government-held crypto, and a complete overhaul of how the U.S. secures and manages seized digital assets.
