$40M+ US Government Crypto Heist Allegedly Tied To Contractor Executive’s Son
On-chain sleuth ZachXBT has linked a series of high‑value crypto thefts from wallets associated with US government seizures to a young threat actor identified as John Daghita, known online as “Lick” — and, crucially, to a government contractor reportedly owned by his father.
According to ZachXBT, more than $40 million in digital assets were siphoned from addresses connected to US government enforcement activity, including wallets holding funds from the infamous Bitfinex hack seizures. The emerging theory is not that the government itself mismanaged keys, but that access may have been compromised somewhere within a contractor’s orbit.
Alleged Link Between Heist And Government Contractor
In a detailed breakdown published on January 25, ZachXBT pointed to Command Services & Support (CMDSS), describing it as an IT firm with an active government contract in Virginia. He alleged that CMDSS had been awarded a contract to support the US Marshals Service (USMS) with the management and disposal of seized or forfeited crypto assets.
The investigator then connected CMDSS to the suspect: the company is reportedly owned by John Daghita’s father. That family tie, he suggested, may explain how John could have gained visibility into or access to sensitive infrastructure related to government‑held wallets.
At the same time, ZachXBT was careful to note that the technical path of compromise is still unclear. It is not yet known whether credentials, internal tools, system access, or some other operational weakness was exploited, nor whether anyone on the contractor side knowingly participated. What the public evidence attempts to show is that the person flaunting funds online had control over wallets that lead back to government seizure addresses.
From Online Flex To Alleged Multi‑Million Dollar Trail
The allegations rest heavily on a combination of on‑chain forensics and a recorded dispute in a private chat. In material published on January 23, ZachXBT introduced “John (Lick)” as a threat actor who was “caught flexing” roughly $23 million in a wallet later linked to over $90 million in suspected thefts from the US government in 2024 and from other yet‑to‑be‑identified victims between November and December 2025.
The centerpiece of the thread is a heated argument between John and another alleged threat actor, Dritan Kapplani Jr. During this confrontation, they engaged in what insiders call “band for band” — an informal contest where participants try to outdo each other by proving how much crypto they control in real time.
According to ZachXBT, the entire exchange was recorded. The footage, he says, shows both participants sharing their screens, pulling up wallet applications, displaying balances, and even moving funds mid‑argument. This live, time‑stamped behavior is presented as key evidence that the accounts belong to the individuals involved, not to unrelated third parties.
Exodus Wallet Screenshare And On-Chain Corroboration
In the first part of the recording, Dritan allegedly mocks John, prompting him to defend his wealth. John reportedly responds by sharing his screen and opening Exodus Wallet. On camera, an Exodus interface appears to reveal a Tron address with a balance of about $2.3 million.
In a subsequent segment, while the verbal spat continues, another address on Ethereum allegedly receives around $6.7 million worth of ETH. Because the transfers and screen‑shared balances unfold in sync with the recorded conversation, ZachXBT argues that this strongly ties John to both wallets.
He frames this as the crucial forensic pivot: continuity of control. If one individual is seen navigating the same devices, accounts, and addresses over a period of time, then the collection of wallets they touch can be analyzed as a single cluster. From there, the funds’ origins can be traced backward across multiple blockchains.
Tracing Funds Back To US Government Seizure Wallets
Once he built out the suspected wallet cluster, ZachXBT started tracking the inflows. He claims the analysis leads back to a March 2024 transaction in which about $24.9 million was moved out of a US government address associated with the Bitfinex hack seizure.
That transfer, he says, is one of the core links between the wallet cluster controlled by John and addresses known to be operated by US authorities. On top of that, he asserts that approximately $18.5 million remains parked in a specific address within the same cluster, suggesting that not all funds have been laundered or cashed out.
The investigator goes further, alleging that the main address he examined received more than $63 million in inflows from suspected victims and government seizure wallets during the fourth quarter of 2025 alone. These funds reportedly moved across multiple networks and from diverse sources. Separately, he points to an additional inflow of about 4,170 ETH, which he values at around $12.4 million, arriving from the centralized exchange MEXC into the same cluster.
Taken together, the pattern painted by this data is of a single actor — or a small group acting in concert — routing stolen funds from official seizure wallets, other victims, and exchanges through a common infrastructure of addresses under their control.
Unanswered Questions Around Operational Security
The follow‑up post on January 25 shifted the focus from tracing to access. If the addresses truly originated from US government seizures, how did an outside individual gain control over them?
This is where CMDSS enters the narrative. If the company was contracted to help manage and liquidate seized digital assets on behalf of the US Marshals Service, its internal systems and processes would likely have been adjacent to, or directly involved in, key management, wallet operations, or transaction execution.
The possibilities range widely. The compromise could, in theory, stem from:
– Poor internal security practices at a contractor or sub‑contractor
– Inadequately segmented access to private keys or key shards
– Misuse or theft of credentials or hardware wallets
– Exploitation of software or infrastructure used to interact with government wallets
– Social engineering or insider abuse
As of now, none of these theories has been publicly substantiated. ZachXBT himself emphasized that the precise method by which John may have obtained access “from his dad” is unknown. Official agencies have not yet publicly detailed any breach or confirmed how, or even whether, government infrastructure was compromised.
Digital Footprints Vanish As Online Identities Go Dark
Following the exposure of CMDSS in connection with the alleged theft, some of the company’s public‑facing profiles abruptly disappeared. According to ZachXBT, CMDSS’s account on X, its corporate website, and its LinkedIn presence were all deactivated shortly after his findings were published.
Simultaneously, he claimed that Daghita resurfaced in private chats, apparently taunting others again rather than going quiet. This behavior, if accurate, paints the picture of a young, brazen actor more inclined to boast than to lay low in the face of mounting scrutiny — a pattern not uncommon among high‑profile crypto thieves and fraudsters in past cases.
Industry And Policy Reactions
The story has sent ripples through both the Bitcoin community and the broader digital asset sector. High‑profile industry figures weighed in on the claims, focusing not just on the alleged criminal behavior, but on the structural weaknesses it appears to expose.
One key concern raised: if a contractor hired to safeguard and dispose of seized crypto can, directly or indirectly, be tied to a tens‑of‑millions‑of‑dollars theft, what does that say about current standards for vendor vetting, key management, and oversight?
Commentators have called for agencies such as the Treasury Department and the Department of Justice to urgently reassess how private keys for government‑held digital assets are generated, stored, and managed — particularly when third‑party firms are involved. Some argue that any exposure of private keys outside rigorously audited, government‑controlled environments represents an unacceptable systemic risk.
Why This Case Matters Beyond The Headlines
Although the alleged theft itself is substantial, the deeper significance lies in what it reveals about the evolving intersection of public sector asset custody and crypto infrastructure.
The US government has, over the past decade, accumulated sizable digital asset holdings via seizures from criminal operations, exchange hacks, darknet markets, and fraud schemes. These assets are often worth hundreds of millions of dollars and are periodically auctioned or otherwise liquidated. Managing them securely has become a specialized task, one that agencies increasingly outsource to private contractors with crypto expertise.
If those contractors — or people close to them — can exploit their position to siphon funds, it exposes a critical vulnerability in the state’s handling of seized assets. It also undermines public trust at a moment when governments worldwide are attempting to project competence and control in the digital asset space.
Moreover, this case highlights how pseudonymous online behavior can collide with formal institutional systems. A person allegedly bragging and competing for status in private chats, while simultaneously moving funds from addresses tied to highly sensitive government operations, shows how fragile the line is between “crypto culture” and real‑world criminal exposure.
The Growing Role Of Independent On‑Chain Investigators
Another important dimension is the role of independent analysts like ZachXBT. Without access to law enforcement databases or subpoena power, such investigators rely entirely on open blockchain data, public records, and social‑media breadcrumbs. Yet in several instances, their findings have preceded or even helped catalyze official investigations.
By piecing together on‑chain flows, online aliases, and real‑world entities like CMDSS, they often expose patterns that might otherwise remain buried. This kind of work does not replace formal legal processes — it cannot assign guilt in a court of law — but it can shape narratives, inform victims, and put pressure on institutions to respond.
At the same time, public accusations based on circumstantial or partially redacted evidence raise their own issues: the risk of misidentification, the potential for reputational damage to people or companies ultimately found not to be at fault, and the tension between transparency and due process.
Security Lessons For Institutions Holding Digital Assets
While this story centers on the US government, the underlying lessons apply to any institution that holds significant crypto balances:
1. Minimize trust in individuals and vendors. Multi‑signatures, hardware security modules, and threshold signatures should be configured so that no single contractor, employee, or family member can unilaterally move funds.
2. Enforce strict role separation. The teams or companies that design key infrastructure should not be the same ones that approve or execute large transactions. Oversight must be structural, not just policy‑based.
3. Audit both code and process. It is not enough to secure the wallets; the human workflows around them — including contractor access, key recovery procedures, and incident response — must be regularly stress‑tested.
4. Continuously monitor on‑chain activity. Real‑time alerts tied to known custody wallets can detect anomalous movements early, allowing agencies or institutions to intervene, communicate, or freeze off‑ramps.
5. Plan for insider threat. Background checks alone cannot fully mitigate risk. Technical architecture should assume that at least one insider may attempt to abuse their position.
If the allegations in this case are borne out, it will likely become a textbook example of why these principles are not optional when dealing with sizable digital asset holdings.
What Comes Next
As of now, no formal public charges tied specifically to this alleged $40 million‑plus heist have been detailed in the information summarized here, and key questions remain unanswered:
– Have US authorities already detected and investigated the suspected theft internally?
– Was any part of the stolen crypto recovered or frozen on exchanges?
– What exactly was the scope of CMDSS’s role in managing government‑held assets?
– Will this lead to a broader overhaul of how the US handles seized digital currencies?
Given the size of the alleged theft and the sensitivity of the wallets involved, further developments are almost inevitable. Whether through court filings, official statements, or additional investigative disclosures, more clarity is likely to emerge on how a contractor executive’s son allegedly found himself at the center of one of the most audacious government‑linked crypto heists to date.