Key Insights:
- A crypto scam operator linked to over $90 million in suspected thefts was exposed after he bragged about his wealth in a recorded group chat.
- On-chain investigator ZachXBT traced wallet addresses displayed during the argument directly back to US Government seizure addresses and multiple victims from late 2025.
- The threat actor, known as John, immediately scrubbed his social media after the January 23 crypto news.
On-chain investigator ZachXBT published a detailed thread on X, exposing a threat actor identified as John, also known as “Lick”. He was displaying $23 million in cryptocurrency wallets when ZachXBT caught him.
The addresses directly link to over $90 million in suspected thefts from the US Government in 2024 and multiple other unidentified victims between November and December 2025. This exposure occurred after John participated in a heated argument with another threat actor, Dritan Kapplani Jr., in a group chat.
The discussion was a bragging competition to determine who controlled more cryptocurrency funds. This interaction is famous as a “band for band” or “b4b” competition in cybercrime circles.
The entire confrontation was recorded and provided the evidence ZachXBT needed to connect wallet addresses to the crypto scam operation.
In the first part of the recording, John screen-shared his Exodus Wallet. It displayed a TRON address containing $2.3 million, after Dritan mocked him. In the second part, John moved an additional $6.7 million in ETH to the wallet address 0xd8bc while Dritan continued taunting him.
Crypto News: On-Chain Evidence Links Wallets to Government Theft
By the end of the recorded exchange, John had moved approximately $23 million to the 0xd8bc address. The recording clearly showed that he controlled both wallet addresses. ZachXBT began tracing the funds backward through the blockchain to verify their source and discovered damning connections.
The 0xd8bc address received funds from 0x8924, which John confirmed owning during the recording. The 0x8924 address had received 1,066 WETH from address 0xc7a2 on November 20, 2025, in a specific transaction hash documented in the report.
The critical link emerged when ZachXBT traced the 0xc7a2 address. It had received $24.9 million from a US Government address in March 2024, in connection with the Bitfinex hack seizure.
ZachXBT previously reported this theft from the US Government in October 2024. As per the latest crypto news, $18.5 million are still sitting at the cv0xc7A2 address.
The blockchain evidence established a direct trail from government-seized funds to the wallets John controlled, as displayed during his bragging session.
Crypto Scam Operator Tied to $63M in Q4 2025 Inflows
ZachXBT’s analysis revealed that the 0xd8bc address received over $63 million in inflows from suspected victims and government-seized addresses during the fourth quarter of 2025 alone.
In December 2025, the address received $13.5 million from 0x77a7 and $15.4 million from 0xf51b. In November 2025, it received $3 million from the Tron address TACZPn and $1 million from the Solana address 6tMdWb.
An additional 4,170 ETH, valued at $12.4 million, was received from the MEXC exchange earlier on January 23. This fund was flowing to the 0xd8bc address via the intermediary address 0xe0f7.
ZachXBT noted that John maintained an extensive message history on Telegram flaunting his net worth and calling others broke. His Telegram ID is 8269661864. The pattern of behavior suggested a threat actor who prioritized social status within cybercrime communities over operational security.
Rumors circulating on cybercrime Telegram channels suggested John could be John Daghitia, who was previously arrested in September 2025. However, ZachXBT noted that further research will fully confirm the identity.
The investigator observed that threat actors continued to show off stolen funds in leaked recordings. He didn’t remain quiet after alleged thefts from the US Government. This pattern repeatedly provided law enforcement with evidence.
In this specific crypto scam case, Dritan ragebaited John into participating in a band-for-band competition. The recordings captured proof of wallet ownership, providing straightforward evidence for future law enforcement action.
John’s response to the public exposure was immediate and telling. He quickly removed all NFT usernames from his Telegram account and changed his screen name after ZachXBT’s thread went public, suggesting that he recognized the documented evidence posed a serious legal risk.
The case demonstrated how ego-driven behavior among cybercriminals could override basic operational security.
A recorded bragging session provided investigators with direct blockchain evidence linking a threat actor to over $90 million in suspected thefts. Those crypto scams span across government seizures and private victims from 2024 and 2025.