On-chain investigator ZachXBT says a $40 million-plus theft from US government crypto seizure wallets may trace back to John Daghita, an alleged threat actor who goes by “Lick,” and a contractor relationship tied to Daghita’s family.
The $40 Million+ Govt Crypto Wallet Robbery
In a Jan. 25 post, ZachXBT pointed to Command Services & Support (CMDSS), describing it as a firm with “an active IT government contract in Virginia,” and alleging it was “awarded a contract to assist the USMS in managing/disposing of seized/forfeited crypto assets.” ZachXBT added: “It still remains unclear at this point how John obtained access from his dad.”
In case you are curious how John Daghita (Lick) was able to steal $40M+ from US government seizure addresses.
John’s dad owns CMDSS, which currently has an active IT government contract in Virginia.
CMMDS was awarded a contract to assist the USMS in managing/disposing of... https://t.co/lzR2a1aidA pic.twitter.com/PV0IkSuhVy
— ZachXBT (@zachxbt) January 25, 2026
The allegation lands against a backdrop of earlier tracing work published Jan. 23, where ZachXBT linked wallet activity and recorded chats to the same persona. “Meet the threat actor John (Lick), who was caught flexing $23M in a wallet address directly tied to $90M+ in suspected thefts from the US Government in 2024 and multiple other unidentified victims from Nov 2025 to Dec 2025,” ZachXBT wrote.
ZachXBT’s thread centers on a dispute in a Telegram group chat between “John” and another threat actor, Dritan Kapplani Jr., in what the community calls “band for band (b4b)”, an on-the-spot contest to prove who controls more funds. ZachXBT said the interaction was “fully recorded,” and claims the footage includes screen-shared wallet balances and contemporaneous transfers that help establish control.
According to the thread, the recording shows John screen-sharing an Exodus wallet displaying a Tron address holding $2.3 million. In a second segment, ZachXBT said “another $6.7M worth of ETH” moved into an Ethereum address while the argument continued.
3/ In part 1 of the recording Dritan mocks John however John screenshares Exodus Wallet which shows the Tron address below with $2.3M:
TMrWCLMS3ibDbKLcnNYhLggohRuLUSoHJg pic.twitter.com/jvcjIVEpaE— ZachXBT (@zachxbt) January 23, 2026
ZachXBT framed the key evidentiary point as ownership continuity across addresses: “The recording captures that John clearly controls both addresses. Additional addresses can likely be found in the recordings. I then began tracing backwards to verify the source of funds.”
That tracing, ZachXBT said, connects the cluster to a March 2024 transfer of $24.9 million from a US government address tied to the Bitfinex crypto hack seizure. He also claimed $18.5 million “currently sits” at a cited address.
Beyond that 2024 linkage, ZachXBT asserted the primary address he tracked was tied to “$63M+ inflows from suspected victims and government seizure addresses in Q4 2025,” listing multiple transactions and chains, and separately flagged an additional 4.17K ETH ($12.4 million) flow from MEXC into the same cluster.
The Jan. 25 post attempts to explain a potential access path: if CMDSS was involved in US Marshals Service crypto asset management, the question becomes whether contractor-side systems, credentials, or processes provided an opening, intentionally or otherwise. ZachXBT stressed that the exact mechanism remains unknown.
Shortly after the post, ZachXBT said CMDSS’s X account, website, and LinkedIn “were all just deactivated,” and claimed Daghita “began trolling again on Telegram.”
On X, the claims drew sharp reactions from prominent Bitcoin commentators. Nakamoto Inc. CEO David Bailey wrote: “The son of the CEO of the company hired by the US Marshalls to safeguard the nation’s Bitcoin, stole $40m from it and now appears to be running. Treasury must secure the private keys from the Justice Department ASAP before more is stolen.”
Prominent Bitcoin advocate and co-founder of the Satoshi Nakamoto Institute Pierre Rochard framed the situation in national-security terms, posting, “This is a national security crisis,” and urging Congress to pass the BITCOIN Act.
At press time, Bitcoin traded at $87,847.
