Blockchain investigator ZachXBT has alleged that the person responsible for a multimillion-dollar theft of cryptocurrency from US government-controlled wallets is the son of the chief executive of a firm contracted to safeguard seized digital assets.

In a series of posts detailing his findings, ZachXBT claimed that an individual known online as “Lick,” whose real name he identified as John Daghita, siphoned tens of millions of dollars in crypto from wallets linked to the US government.

He further alleged that Daghita is the son of Dean Daghita, president and chief executive of Command Services & Support (CMDSS), a company contracted by the US Marshals Service to handle certain seized cryptocurrencies.

CMDSS Awarded US Marshals Contract to Handle Non-Mainstream Seized Crypto

Public records show that CMDSS, based in Haymarket, Virginia, was awarded a contract in October 2024 to assist the Marshals Service with the custody and disposal of so-called “Class 2–4” digital assets.

These include tokens that are not supported by major centralized exchanges and often require bespoke handling.

The allegations have not been tested in court, and no criminal charges have been announced. CMDSS did not respond to requests for comment at the time of publication.

ZachXBT’s claims expand on an investigation he published on Jan. 23, which linked the same online persona to more than $90 million in suspected illicit crypto activity.

That probe traced funds back to a U.S. government wallet associated with assets seized from the 2016 Bitfinex hack.

The investigation gained traction after a recorded dispute in a Telegram group chat between “Lick” and another individual.

The exchange, described as a “band-for-band” argument, involved both parties attempting to demonstrate control over large crypto balances.

During the exchange, “Lick” screen-shared an Exodus wallet displaying a Tron address holding roughly $2.3 million, followed by a live transfer of about $6.7 million in ether.

By the end of the session, approximately $23 million had been consolidated into a single wallet.

By tracing transactions backward, ZachXBT linked that wallet to an address that received $24.9 million from a US government-controlled wallet in March 2024.

The government address was tied to funds seized in the Bitfinex case. ZachXBT had previously flagged unusual activity in October 2024, when around $20 million was drained from similar government wallets.

Most of those funds were returned within 24 hours, though roughly $700,000 routed through instant exchanges was not recovered.

CMDSS Contract Faced Prior Scrutiny as GAO Rejected Protest

CMDSS’s role as a government contractor has drawn scrutiny before.

After losing the Marshals Service contract, Wave Digital Assets filed a protest with the Government Accountability Office, arguing that CMDSS lacked proper regulatory registrations and raising concerns over potential conflicts of interest involving a former Marshals Service official.

The GAO ultimately denied the protest.

Questions around crypto custody have also been raised more broadly. A February 2025 CoinDesk report said the Marshals Service struggled to account for its digital asset holdings, citing weak inventory controls and an inability to estimate its bitcoin reserves.

As reported, illicit cryptocurrency addresses received a record $154 billion in 2025, a sharp increase from the year before.

The post ZachXBT Alleges Son of US Government Crypto Custodian CEO Behind Wallet Theft appeared first on Cryptonews.

On-chain investigator ZachXBT says a $40 million-plus theft from US government crypto seizure wallets may trace back to John Daghita, an alleged threat actor who goes by “Lick,” and a contractor relationship tied to Daghita’s family.

The $40 Million+ Govt Crypto Wallet Robbery

In a Jan. 25 post, ZachXBT pointed to Command Services & Support (CMDSS), describing it as a firm with “an active IT government contract in Virginia,” and alleging it was “awarded a contract to assist the USMS in managing/disposing of seized/forfeited crypto assets.” ZachXBT added: “It still remains unclear at this point how John obtained access from his dad.”

In case you are curious how John Daghita (Lick) was able to steal $40M+ from US government seizure addresses.

John’s dad owns CMDSS, which currently has an active IT government contract in Virginia.

CMMDS was awarded a contract to assist the USMS in managing/disposing of… https://t.co/lzR2a1aidA pic.twitter.com/PV0IkSuhVy

— ZachXBT (@zachxbt) January 25, 2026

The allegation lands against a backdrop of earlier tracing work published Jan. 23, where ZachXBT linked wallet activity and recorded chats to the same persona. “Meet the threat actor John (Lick), who was caught flexing $23M in a wallet address directly tied to $90M+ in suspected thefts from the US Government in 2024 and multiple other unidentified victims from Nov 2025 to Dec 2025,” ZachXBT wrote.

ZachXBT’s thread centers on a dispute in a Telegram group chat between “John” and another threat actor, Dritan Kapplani Jr., in what the community calls “band for band (b4b)”, an on-the-spot contest to prove who controls more funds. ZachXBT said the interaction was “fully recorded,” and claims the footage includes screen-shared wallet balances and contemporaneous transfers that help establish control.

According to the thread, the recording shows John screen-sharing an Exodus wallet displaying a Tron address holding $2.3 million. In a second segment, ZachXBT said “another $6.7M worth of ETH” moved into an Ethereum address while the argument continued.

3/ In part 1 of the recording Dritan mocks John however John screenshares Exodus Wallet which shows the Tron address below with $2.3M: TMrWCLMS3ibDbKLcnNYhLggohRuLUSoHJg pic.twitter.com/jvcjIVEpaE

— ZachXBT (@zachxbt) January 23, 2026

ZachXBT framed the key evidentiary point as ownership continuity across addresses: “The recording captures that John clearly controls both addresses. Additional addresses can likely be found in the recordings. I then began tracing backwards to verify the source of funds.”

That tracing, ZachXBT said, connects the cluster to a March 2024 transfer of $24.9 million from a US government address tied to the Bitfinex crypto hack seizure. He also claimed $18.5 million “currently sits” at a cited address.

Beyond that 2024 linkage, ZachXBT asserted the primary address he tracked was tied to “$63M+ inflows from suspected victims and government seizure addresses in Q4 2025,” listing multiple transactions and chains, and separately flagged an additional 4.17K ETH ($12.4 million) flow from MEXC into the same cluster.

The Jan. 25 post attempts to explain a potential access path: if CMDSS was involved in US Marshals Service crypto asset management, the question becomes whether contractor-side systems, credentials, or processes provided an opening, intentionally or otherwise. ZachXBT stressed that the exact mechanism remains unknown.

Shortly after the post, ZachXBT said CMDSS’s X account, website, and LinkedIn “were all just deactivated,” and claimed Daghita “began trolling again on Telegram.”

On X, the claims drew sharp reactions from prominent Bitcoin commentators. Nakamoto Inc. CEO David Bailey wrote: “The son of the CEO of the company hired by the US Marshalls to safeguard the nation’s Bitcoin, stole $40m from it and now appears to be running. Treasury must secure the private keys from the Justice Department ASAP before more is stolen.”

Prominent Bitcoin advocate and co-founder of the Satoshi Nakamoto Institute Pierre Rochard framed the situation in national-security terms, posting, “This is a national security crisis,” and urging Congress to pass the BITCOIN Act.

At press time, Bitcoin traded at $87,847.

2026 got off to a disastrous start for one crypto user, who fell victim to one of the largest social engineering attacks in digital asset history, losing over $282 million in Bitcoin and Litecoin.

How Crypto User Fell Victim To $282M Theft 

According to prominent blockchain sleuth ZachXBT, the crypto theft occurred on January 10, 2026 at around 11:00 pm UTC. Around 2.05 million Litecoin (worth roughly $153 million) and 1,459 Bitcoin (equivalent to around $139 million) was drained from the victim’s hardware wallet after they were tricked into sharing their seed phrase.

The exploiter swiftly transferred the funds across multiple networks to obscure the trail after gaining full control of the crypto wallet. As revealed by ZachXBT, the attacker first began converting the stolen crypto assets into Monero’s native token, XMR, through multiple instant exchanges, leading to a surge in the price of XMR.

Furthermore, the exploiter bridged significant amounts of the stolen Bitcoin across Ethereum, Ripple, and Litecoin through THORChain, a decentralized cross-chain platform that enables users to swap crypto assets between different blockchain networks. Unsurprisingly, this move reignited the debate around the use — or abuse — of censorship-resistant cross-chain protocols, especially during security breaches.

After the news of the attack made it to social media, conversations around the entity or persons behind $282 million theft started, with many linking it to a state-sponsored hacking group. However, ZachXBT categorically stated that “it’s not North Korea,” potentially exonerating the infamous state-backed Lazarus Group.

In a post on LinkedIn, security firm ZeroShadow described the victim as a Bitcoin wallet “belonging to an individual who had been tricked into sharing their seed phrase by an actor impersonating Trezor ‘Value Wallet’ support.” The firm claimed that it was able to track and flag parts of the stolen funds in real time after being alerted by blockchain monitoring teams.

According to ZeroShadow, roughly $700,000 worth of crypto assets were reportedly frozen before they could be fully swapped into privacy-focused assets. This latest incident sheds light on how the digital asset industry is still being targeted by malicious actors.

XMR Price Rallies To New High Following Security Incident

As described by ZachXBT, the attacker, after gaining control of the victim’s wallet, began converting the stolen crypto assets into Monero’s native token, XMR, through several exchanges. In the background, this activity pushed the price of the privacy-focused XMR to a new all-time high around $800 over the past week.

According to data from CoinGecko, the XMR token rallied almost 80% to $797.73 from a weekly low around $450 following the crypto theft. As of this writing, XMR is valued at around $588, reflecting a nearly 25% drop in the past few days.