Inside the Alleged $40M Breach of U.S. Government Crypto Wallets

Usually, we hear of government agencies like the Department of Justice (DOJ) seizing Bitcoin (BTC -5.66%) from criminals, but this time, the exact opposite has occurred. Someone has taken tens of millions of dollars in cryptocurrency from wallets linked to the U.S. government.

So, let’s see what exactly has happened and who is allegedly behind the incident.

How U.S. Government Crypto Wallets Were Allegedly Compromised

Swipe to scroll →

Last week, blockchain sleuth ZachXBT took to X (previously Twitter) to share his investigation into the matter, which brought the incident into the limelight.

“Meet the threat actor John (Lick), who was caught flexing $23M in a wallet address directly tied to $90M+ in suspected thefts from the US Government in 2024 and multiple other unidentified victims from Nov 2025 to Dec 2025,” posted the on-chain investigator on X last Friday.

ZachXBT alleged that the individual behind the $40 million movement of digital assets from the government wallet is someone who’s related to the head of a company that was contracted by a federal law enforcement agency a few years ago to custody the seized cryptocurrency.

The wallet was used by the government agency to store funds it had confiscated from individuals.

As for the individual identified in the investigation, he has been named as John “Lick” Daghita, who is the son of Dean Daghita, the chief executive of Virginia-based CMDSS, a firm that provides critical services for the DOJ and Department of Defense.

As ZachXBT wrote:

In late 2024, the company was selected by the US Marshals Service to assist in managing and disposing of seized or forfeited cryptocurrency assets. These assets are categorized as “Class 2-4,” which includes those coins that aren’t listed on major centralized crypto exchanges (CEXs).

This is significant, as last year, US President Donald Trump signed an executive order establishing a strategic crypto reserve for the United States, funded by the Treasury’s forfeited digital assets, and thus shouldn’t be liquidated.

When the White House first announced that it was considering a national crypto reserve, CoinDesk reported that a source familiar with the matter stated that the U.S. Marshals Service does not know exactly how much cryptocurrency it holds.

Not only that, but the agency didn’t even have a rough estimate of its Bitcoin holdings. The report from last year noted that USMS relied on spreadsheets that lacked adequate inventory controls.

“As far as I’m aware, the USMS is currently managing this with individual keystrokes in an Excel spreadsheet,” Chip Borman told CoinDesk at the time. Borman is the vice president of capture strategy and proposals at Addx Corporation, which provides technological solutions to the US government, and was also rejected for a USMS contract. “They’re one bad day away from a billion-dollar mistake,” he said.

Others also reported on USMS’s “very unsecure,” practices regarding crypto assets. The agency has long struggled to manage and track its holdings.

“The USMS did not have adequate policies related to seized cryptocurrency storage, quantification, valuation, and disposal, and in some instances, guidance was conflicting,” the Office of the Inspector General (OIG) said back in 2022. And by the end of that year, the USMS had noted that a software update resulted in it losing control of two Ether wallets, and as such, it was looking for a contractor to help with the handling of cryptocurrencies.

The nation’s oldest federal law enforcement agency, which operates under the DOJ to support the federal judiciary, manages assets such as cash, jewelry, vehicles, real estate, and crypto seized by law enforcement during criminal investigations.

In Oct. 2024, the USMS awarded CMDSS a contract to handle the agency’s non-mainstream seized crypto.

CMDSS secured the government contract while beating competitors, including Wave Digital Assets, which filed a protest with the U.S. Government Accountability Office. It argued that CMDSS does not have the proper licensing with the Securities and Exchange Commission (SEC) and the Financial Industry Regulatory Authority (FINRA).

– Les Borsai, co-founder of Wave, said in an interview with CoinDesk last year

In its protest, Wave also posed questions about CMDSS employing a former USMS official, who has access to nonpublic information. This, Wave pointed out, is a potential conflict of interest, which the Marshals Service hasn’t properly investigated.

The GAO denied the protest, despite finding the agency’s evaluation unreasonable.

The Digital Trail and the Fatal Flex

So, with USMS lacking a framework to track and safeguard digital assets, it turned to CMDSS for support, which now appears to be a focal point in the investigation into the alleged theft.

According to ZachXBT, “it still remains unclear at this point how John obtained access from his dad.”

Ever since the connection between the subject and CMDSS was suggested, the company has deactivated its website, X account, and LinkedIn. The father’s X account has also been deactivated.

What drew on-chain detective ZachXBT’s attention to the situation was a video recording in a Telegram chat, in which a user named Lick or John Daghita allegedly “got into a heated argument with another individual known as Dritan Kapplani Jr. in a group chat to see who had more funds in crypto wallets.”

The entire interaction in which John Daghita reportedly attempted to show his financial standing by going band for band was fully recorded.

To show off his holdings, the subject shared a screen recording that showed a non-custodial Exodus wallet with $2.3 million in a TRON (TRX) address. But as Dritan continued to mock him, John Daghita allegedly moved another $6.7 million in Ether (ETH) to the same wallet in real time.

Both addresses are alleged to be controlled by the subject, with ZachXBT noting that additional addresses are likely to be found in the recordings. By the time the conflict was over, John Daghita had allegedly moved a total of $23 million into one wallet, which ZachXBT linked to the address 0xd8bc.

To verify the source of funds, the blockchain investigator traced backward, revealing that the 0xd8bc address had previously received 1066 WETH from 0xc7a2. And before that, $24.9 million was transferred to the 0xc7a2 address in March 2024.

This particular transfer was made from a government address holding confiscated Bitfinex assets.

Bitfinex, a major cryptocurrency exchange, suffered a security breach in 2016 that resulted in the theft of 119,756 BTC. The hack had a major impact on the market at the time, with the Bitcoin price dropping about 20% after the attack was disclosed.

For years, most of the stolen funds sat in wallets untouched. Between 2020 and 2021, small movements totaling hundreds of millions of BTC were observed from wallets linked to the breach, and in 2022, 94,643 BTC (worth $3.6 billion at the time) were consolidated into a new address.

Law enforcement was tracking the movement, leading the DOJ to announce the seizure of over 94,000 BTC from the attack after decrypting a file containing private keys linked to the hack. Ilya Lichtenstein and his wife, Heather Morgan, were also arrested on charges of conspiracy to launder stolen Bitcoin. In 2023, the couple pleaded guilty to charges, and the following year, Lichtenstein was sentenced to 5 years in prison, but secured early release this year. Morgan received 18 months for fraud and conspiracy.

When it comes to the funds themselves, they helped the U.S. government become one of the largest holders of Bitcoin.

In January 2025, a U.S. court approved the return of roughly $9 billion in seized Bitcoin to Bitfinex as part of voluntary restitution agreements linked to plea deals with the convicted.

At the time, the US government also said that stolen Bitcoin should go back to the exchange.

“For the foregoing reasons, there is no ‘victim’ for the specific offenses of conviction in this proceeding,” the government said in a filing to the U.S. District Court for the District of Columbia. “However, the Court has the authority to order voluntary restitution pursuant to the defendants’ plea agreements. Such voluntary restitution should include all of the assets seized from the Bitfinex Hack Wallet and that, pursuant to the plea agreements, those assets should be returned to Bitfinex as in-kind restitution.”

Escalation, Laundering, and the Fallout

In his X post on January 23rd, ZachXBT noted that this is an alleged theft from the USG, which he previously reported about in October 2024.

At the time, he noted that about $20 million of seized funds tied to the US government had been drained and was suspected to be stolen. Most of the funds, however, were returned within a day, except for the $700,000, which was withdrawn through exchanges and wasn’t recovered.

In addition to all of this, ZachXBT found another address belonging to John Daghita that received $63 million in inflows in the fourth quarter of last year from government-seized addresses and suspected victims.

The traced activity shows funds being moved from seizure-linked addresses into intermediary wallets, where the assets were split and then recombined before being cycled through multiple hops. Suspected assets were routed through centralized exchanges, decentralized exchanges, non-custodial services, and cross-chain swap platforms. The expert noted:

He also stated that rumors circulating on cybercrime Telegram channels indicate that the person in question could be John Daghita, who was previously arrested in September 2025, though more research is needed to confirm this.

“Threat actors only continue to show off funds in leaked recordings rather than simply just staying quiet after an alleged incident involving the US Government,” said ZachXBT, noting that by allegedly sharing proof of ownership for the involved wallets, the subject “makes it an easy future case for law enforcement.”

Upon ZachXBT publishing the Telegram account identifier, the user quickly changed his display name and deleted all his NFT usernames. Not long after, he reportedly sent $20 in ETH to ZachXBT’s public address, zachxbt.eth, from one of the addresses linked to the investigation.

A couple of days later, the user reportedly began trolling again on Telegram and sent ZachXBT another 0.6767 ETH ($1.9K) of the suspected government funds to his public wallet address, which the blockchain investigator said will be sent to a USG seizure address.

But that’s not all. The wallet tied to the alleged incident then launched a Solana-based meme coin called John Daghita, bearing the ticker LICK, with the wallet holding 40% of its supply.

“John Daghita (@lick), linked to the $40M movement from the US government, just launched $LICK on pumpfun and is live streaming on Telegram. He holds 40% of the supply Unhinged,” posted Bubblemaps, an analytics platform for on-chain trading and investigations.

A large concentration of a token supply in the wallet of a single entity creates the risk of market manipulation. Besides insiders controlling the price, one wallet owning such a high percentage of supply signals a high risk of “rug pulls,” where the major holder sells their stake, causing the token to plummet in value, as reportedly happened in the case of LICK itself.

The token was launched on Pump.fun, a popular meme coin launchpad on the Solana network, which has been used to create a total of 15.6 million tokens in just over two years. Data has shown that the vast majority of tokens launched on Pump.fun, over 98%, show characteristics linked to pump-and-dump schemes.

LICK was launched earlier this week and in less than 24-hours briefly hit a market capitalization of about $915,000. The wallet that deployed the token accumulated LICK coins early on, when the market was under $21K. Meanwhile, the token plunged more than 97% in value overnight.

The Inevitable Reckoning

While no criminal charges have been announced yet, investigations have begun. Earlier this week, Patrick Witt, the Executive Director for the US President’s Council of Advisors for Digital Assets, stated on X that authorities are looking into the incident.

The U.S. Marshals Service (USMS) has also confirmed that it is investigating allegations that the son of a DOJ services provider tasked with managing seized digital assets improperly took more than $40 million in cryptocurrencies. Brady McCarron, chief of public affairs for the USMS, declined further comment on the case while the inquiry is ongoing.

As federal agencies begin an inquiry into the incident, John Daghita faces potential charges, including theft of government property, money laundering, and wire fraud, if allegations are proven in a court of law.

The situation is still developing, but what’s important to note is that the government has finally decided to take notice of what’s going on only after ZachXBT has provided these details, which highlights the reactive nature of current agency oversight.

Federal agencies missing or failing to prevent such incidents highlight a need for increased diligence, accountability, and basic operational security. The failure to monitor and secure government-controlled crypto wallets emphasizes just how much work remains for authorities when dealing with digital assets.

As on-chain analyst Tay Vano noted on X, in the time since the case was first brought to light, the subject has reportedly moved funds, conducted giveaways, and launched a memecoin, while the US government agencies have only “opened an investigation. To investigate.”

Government agencies have been criticized for their responsibility to securely custody funds that they have seized from criminals. While serious questions remain regarding internal controls, it now remains to be seen whether they’ll be able to conduct a thorough, credible investigation into the matter.

How far the investigations extend into CMDSS’s internal controls and access policies will provide an idea of how the wallets were accessed and whether this stemmed from his father’s role or from another source.

One can hope that, once these investigations conclude, the USMS and DOJ will follow better practices in the future, give preference to crypto-specific expertise, and pay closer attention to any objections, as Wave Digital Assets did, only to be dismissed by the Government Accountability Office.

The DOJ or USMS may even be forced to provide public audits of seized crypto holdings, which will provide a clear picture of just how much cryptocurrency the U.S. government actually holds.

Such an audit could prevent confusion and misinformation, as seen recently when reports circulated that the DOJ had liquidated Bitcoin seized from the creators of Samourai Wallet. Even Senator Cynthia Lummis (R-Wyo.) shared concern on X regarding the potential liquidation of strategic assets.

Witt clarified that forfeited digital assets “have not been liquidated and will not be liquidated,” and that they will instead be added to the strategic Bitcoin reserve.

Ultimately, the John Daghita case is a revelation of potential systemic failures in how U.S. agencies safeguard digital assets worth billions that are supposed to be strategic to national interests.

From custody practices to contractor oversight, the breach clearly shows the challenges federal institutions face today, as the fast-paced crypto market continues to integrate with mainstream finance.

Click here for a list of the top five crypto scams to be mindful of.