Bitcoin Magazine

U.S. Bitcoin Custody Concerns Rise After Alleged Insider Stole $40 Million In Digital Assets

All of the bitcoin held by the U.S. government has come under scrutiny after allegations surfaced that tens of millions of dollars in seized crypto were stolen through insider access at a federal custody contractor.

Blockchain investigator ZachXBT alleged over the weekend that more than $40 million in digital assets was siphoned from wallets linked to the U.S. Marshals Service (USMS), reportedly by the son of an executive at a firm contracted to manage seized crypto. 

The alleged theft centers on Command Services & Support (CMDSS), a Virginia-based technology firm awarded a USMS contract in October 2024 to manage and dispose of certain categories of seized digital assets. 

Those assets include crypto not supported by major exchanges and tied to high-profile criminal cases, including funds seized from the 2016 Bitfinex hack.

According to ZachXBT, an individual identified online as “Lick,” whom he claims is John Daghita, gained access to government-controlled wallets through insider channels. ZachXBT has further alleged that Daghita is the son of Dean Daghita, CMDSS’s president and chief executive.

The investigation began after a recorded dispute in a private Telegram chat surfaced online. During the exchange, the individual screen-shared a wallet showing millions of dollars in crypto and appeared to move funds in real time. 

On-chain analysis later linked those wallets to addresses known to hold government-seized assets.

A conflict of interest involving U.S. bitcoin 

One transaction trail cited by ZachXBT points to a government address that received roughly $24.9 million in bitcoin tied to Bitfinex-related seizures earlier in 2024. 

Additional blockchain data suggests that around $20 million was removed from USMS-linked wallets in October 2024. Most of those funds were returned within a day, though about $700,000 routed through instant exchanges was not recovered.

ZachXBT estimates that total suspected thefts could exceed $90 million when accounting for other wallet activity observed in late 2025. Some of the funds remain in compromised wallets, raising concerns that further losses could occur.

Neither the U.S. Marshals Service nor CMDSS has issued a public statement addressing the allegations.

Rightfully so, the investigation has renewed criticism on how the U.S. government manages its growing stockpile of seized crypto — especially its bitcoin. 

David Bailey, CEO of bitcoin-focused firm Nakamoto, posted on X after the report, “The son of the CEO of the company hired by the US Marshalls to safeguard the nation’s Bitcoin, stole $40m from it and now appears to be running. Treasury must secure the private keys from the Justice Department ASAP before more is stolen.”

The U.S. government holds a massive amount of Bitcoin seized through law enforcement actions, with some blockchain analytics estimating roughly 198,000 BTC under federal control with others projecting more than 300,000 BTC, worth tens of billions of dollars. 

If insiders can allegedly move millions from custodial wallets with minimal detection, it suggests current custody practices may leave portions of the government’s Bitcoin reserves exposed. 

Previous reports have found that the Marshals Service relied on manual tracking systems and struggled to provide precise estimates of its crypto holdings. CMDSS’s contract award also faced a protest in 2024 from a competing firm, which raised concerns about licensing and potential conflicts of interest. 

JUST IN: David Bailey says, “The son of the CEO of the company hired by the US Marshalls to safeguard the nation’s Bitcoin, stole $40m from it”

“Treasury must secure the private keys from the Justice Department ASAP” pic.twitter.com/6UroPNzqJY

— Bitcoin Magazine (@BitcoinMagazine) January 26, 2026

Did the United States sell bitcoin destined for the Strategic Bitcoin Reserve? 

Earlier this year, journalist Frank Corva published an investigation exploring the fact that prosecutors in the Southern District of New York and the U.S. Marshals Service may have sold bitcoin forfeited in the Samourai Wallet case, potentially in violation of President Trump’s Executive Order 14233, which dictates seized bitcoin be held in the U.S. Strategic Bitcoin Reserve rather than liquidated. 

There was on-chain evidence showing 57.55 BTC tied to the Samourai plea agreement moving through a Coinbase Prime address and later showing a zero balance, raising questions about whether the assets were improperly disposed of.

Shortly afterward, U.S. officials denied that any sale took place, affirming that the Samourai Wallet bitcoin will remain on the government’s balance sheet as part of the Strategic Bitcoin Reserve under the executive order.

U.S. officials failed to show blockchain evidence but the reports and overall sentiment relay controversy over how the U.S. handles seized bitcoin. The allegations from ZachXBT further push this sentiment. 

This post U.S. Bitcoin Custody Concerns Rise After Alleged Insider Stole $40 Million In Digital Assets first appeared on Bitcoin Magazine and is written by Micah Zimmerman.

Blockchain investigator ZachXBT has alleged that the person responsible for a multimillion-dollar theft of cryptocurrency from US government-controlled wallets is the son of the chief executive of a firm contracted to safeguard seized digital assets.

In a series of posts detailing his findings, ZachXBT claimed that an individual known online as “Lick,” whose real name he identified as John Daghita, siphoned tens of millions of dollars in crypto from wallets linked to the US government.

He further alleged that Daghita is the son of Dean Daghita, president and chief executive of Command Services & Support (CMDSS), a company contracted by the US Marshals Service to handle certain seized cryptocurrencies.

CMDSS Awarded US Marshals Contract to Handle Non-Mainstream Seized Crypto

Public records show that CMDSS, based in Haymarket, Virginia, was awarded a contract in October 2024 to assist the Marshals Service with the custody and disposal of so-called “Class 2–4” digital assets.

These include tokens that are not supported by major centralized exchanges and often require bespoke handling.

The allegations have not been tested in court, and no criminal charges have been announced. CMDSS did not respond to requests for comment at the time of publication.

ZachXBT’s claims expand on an investigation he published on Jan. 23, which linked the same online persona to more than $90 million in suspected illicit crypto activity.

That probe traced funds back to a U.S. government wallet associated with assets seized from the 2016 Bitfinex hack.

The investigation gained traction after a recorded dispute in a Telegram group chat between “Lick” and another individual.

Update: The CMDSS company X account, website, & LinkedIn were all just deactivated pic.twitter.com/nvN6u5XMPq

— ZachXBT (@zachxbt) January 25, 2026

The exchange, described as a “band-for-band” argument, involved both parties attempting to demonstrate control over large crypto balances.

During the exchange, “Lick” screen-shared an Exodus wallet displaying a Tron address holding roughly $2.3 million, followed by a live transfer of about $6.7 million in ether.

By the end of the session, approximately $23 million had been consolidated into a single wallet.

By tracing transactions backward, ZachXBT linked that wallet to an address that received $24.9 million from a US government-controlled wallet in March 2024.

The government address was tied to funds seized in the Bitfinex case. ZachXBT had previously flagged unusual activity in October 2024, when around $20 million was drained from similar government wallets.

Most of those funds were returned within 24 hours, though roughly $700,000 routed through instant exchanges was not recovered.

CMDSS Contract Faced Prior Scrutiny as GAO Rejected Protest

CMDSS’s role as a government contractor has drawn scrutiny before.

After losing the Marshals Service contract, Wave Digital Assets filed a protest with the Government Accountability Office, arguing that CMDSS lacked proper regulatory registrations and raising concerns over potential conflicts of interest involving a former Marshals Service official.

The GAO ultimately denied the protest.

Questions around crypto custody have also been raised more broadly. A February 2025 CoinDesk report said the Marshals Service struggled to account for its digital asset holdings, citing weak inventory controls and an inability to estimate its bitcoin reserves.

As reported, illicit cryptocurrency addresses received a record $154 billion in 2025, a sharp increase from the year before.

The post ZachXBT Alleges Son of US Government Crypto Custodian CEO Behind Wallet Theft appeared first on Cryptonews.

On-chain investigator ZachXBT says a $40 million-plus theft from US government crypto seizure wallets may trace back to John Daghita, an alleged threat actor who goes by “Lick,” and a contractor relationship tied to Daghita’s family.

The $40 Million+ Govt Crypto Wallet Robbery

In a Jan. 25 post, ZachXBT pointed to Command Services & Support (CMDSS), describing it as a firm with “an active IT government contract in Virginia,” and alleging it was “awarded a contract to assist the USMS in managing/disposing of seized/forfeited crypto assets.” ZachXBT added: “It still remains unclear at this point how John obtained access from his dad.”

In case you are curious how John Daghita (Lick) was able to steal $40M+ from US government seizure addresses.

John’s dad owns CMDSS, which currently has an active IT government contract in Virginia.

CMMDS was awarded a contract to assist the USMS in managing/disposing of… https://t.co/lzR2a1aidA pic.twitter.com/PV0IkSuhVy

— ZachXBT (@zachxbt) January 25, 2026

The allegation lands against a backdrop of earlier tracing work published Jan. 23, where ZachXBT linked wallet activity and recorded chats to the same persona. “Meet the threat actor John (Lick), who was caught flexing $23M in a wallet address directly tied to $90M+ in suspected thefts from the US Government in 2024 and multiple other unidentified victims from Nov 2025 to Dec 2025,” ZachXBT wrote.

ZachXBT’s thread centers on a dispute in a Telegram group chat between “John” and another threat actor, Dritan Kapplani Jr., in what the community calls “band for band (b4b)”, an on-the-spot contest to prove who controls more funds. ZachXBT said the interaction was “fully recorded,” and claims the footage includes screen-shared wallet balances and contemporaneous transfers that help establish control.

According to the thread, the recording shows John screen-sharing an Exodus wallet displaying a Tron address holding $2.3 million. In a second segment, ZachXBT said “another $6.7M worth of ETH” moved into an Ethereum address while the argument continued.

3/ In part 1 of the recording Dritan mocks John however John screenshares Exodus Wallet which shows the Tron address below with $2.3M: TMrWCLMS3ibDbKLcnNYhLggohRuLUSoHJg pic.twitter.com/jvcjIVEpaE

— ZachXBT (@zachxbt) January 23, 2026

ZachXBT framed the key evidentiary point as ownership continuity across addresses: “The recording captures that John clearly controls both addresses. Additional addresses can likely be found in the recordings. I then began tracing backwards to verify the source of funds.”

That tracing, ZachXBT said, connects the cluster to a March 2024 transfer of $24.9 million from a US government address tied to the Bitfinex crypto hack seizure. He also claimed $18.5 million “currently sits” at a cited address.

Beyond that 2024 linkage, ZachXBT asserted the primary address he tracked was tied to “$63M+ inflows from suspected victims and government seizure addresses in Q4 2025,” listing multiple transactions and chains, and separately flagged an additional 4.17K ETH ($12.4 million) flow from MEXC into the same cluster.

The Jan. 25 post attempts to explain a potential access path: if CMDSS was involved in US Marshals Service crypto asset management, the question becomes whether contractor-side systems, credentials, or processes provided an opening, intentionally or otherwise. ZachXBT stressed that the exact mechanism remains unknown.

Shortly after the post, ZachXBT said CMDSS’s X account, website, and LinkedIn “were all just deactivated,” and claimed Daghita “began trolling again on Telegram.”

On X, the claims drew sharp reactions from prominent Bitcoin commentators. Nakamoto Inc. CEO David Bailey wrote: “The son of the CEO of the company hired by the US Marshalls to safeguard the nation’s Bitcoin, stole $40m from it and now appears to be running. Treasury must secure the private keys from the Justice Department ASAP before more is stolen.”

Prominent Bitcoin advocate and co-founder of the Satoshi Nakamoto Institute Pierre Rochard framed the situation in national-security terms, posting, “This is a national security crisis,” and urging Congress to pass the BITCOIN Act.

At press time, Bitcoin traded at $87,847.

2026 got off to a disastrous start for one crypto user, who fell victim to one of the largest social engineering attacks in digital asset history, losing over $282 million in Bitcoin and Litecoin.

How Crypto User Fell Victim To $282M Theft 

According to prominent blockchain sleuth ZachXBT, the crypto theft occurred on January 10, 2026 at around 11:00 pm UTC. Around 2.05 million Litecoin (worth roughly $153 million) and 1,459 Bitcoin (equivalent to around $139 million) was drained from the victim’s hardware wallet after they were tricked into sharing their seed phrase.

The exploiter swiftly transferred the funds across multiple networks to obscure the trail after gaining full control of the crypto wallet. As revealed by ZachXBT, the attacker first began converting the stolen crypto assets into Monero’s native token, XMR, through multiple instant exchanges, leading to a surge in the price of XMR.

Furthermore, the exploiter bridged significant amounts of the stolen Bitcoin across Ethereum, Ripple, and Litecoin through THORChain, a decentralized cross-chain platform that enables users to swap crypto assets between different blockchain networks. Unsurprisingly, this move reignited the debate around the use — or abuse — of censorship-resistant cross-chain protocols, especially during security breaches.

After the news of the attack made it to social media, conversations around the entity or persons behind $282 million theft started, with many linking it to a state-sponsored hacking group. However, ZachXBT categorically stated that “it’s not North Korea,” potentially exonerating the infamous state-backed Lazarus Group.

In a post on LinkedIn, security firm ZeroShadow described the victim as a Bitcoin wallet “belonging to an individual who had been tricked into sharing their seed phrase by an actor impersonating Trezor ‘Value Wallet’ support.” The firm claimed that it was able to track and flag parts of the stolen funds in real time after being alerted by blockchain monitoring teams.

According to ZeroShadow, roughly $700,000 worth of crypto assets were reportedly frozen before they could be fully swapped into privacy-focused assets. This latest incident sheds light on how the digital asset industry is still being targeted by malicious actors.

XMR Price Rallies To New High Following Security Incident

As described by ZachXBT, the attacker, after gaining control of the victim’s wallet, began converting the stolen crypto assets into Monero’s native token, XMR, through several exchanges. In the background, this activity pushed the price of the privacy-focused XMR to a new all-time high around $800 over the past week.

According to data from CoinGecko, the XMR token rallied almost 80% to $797.73 from a weekly low around $450 following the crypto theft. As of this writing, XMR is valued at around $588, reflecting a nearly 25% drop in the past few days.