ZachXBT Links $40 Million US Government Wallet Theft to Son of Federal Crypto Custodian CEO

In January 2026, blockchain investigator ZachXBT alleged that John Daghita, the son of the CEO of a firm contracted by the United States government to manage seized digital assets, was responsible for the theft of more than 40 million dollars in cryptocurrency from U.S. Marshals Service wallets.

The theft is confirmed on chain even though the identity of the thief remains alleged. Blockchain data shows 24.9 million dollars moved in March 2024 from a U.S. Marshals Service Bitfinex seizure wallet into a private address later linked to Lick.

What’s verified versus alleged in the $40M government wallet incident

It is verified that roughly 40 million dollars in cryptocurrency was moved out of United States government controlled seizure wallets, but it is only alleged that John Daghita, also known as Lick and the son of a government crypto contractor CEO, was responsible.

On chain data shows that 24.9 million dollars was transferred in March 2024 from a federal seizure wallet holding assets from the 2016 Bitfinex hack into a private wallet later linked to the online persona Lick.

During a recorded Telegram dispute, Lick screen shared an Exodus wallet showing 2.3 million dollars in Tron and then received a live transfer of about 6.7 million dollars in ETH, after which around 23 million dollars was consolidated into one wallet.

ZachXBT had already identified suspicious government wallet activity in October 2024, when about 20 million dollars was drained from similar addresses. Most of that was returned within 24 hours, but roughly 700,000 dollars was not recovered.

How USMS handles seized crypto Asset Forfeiture Program and CMDSS

The US Marshals Service controls seized cryptocurrency through the Department of Justice Asset Forfeiture Program and outsources custody to private firms such as Coinbase and CMDSS depending on the type of asset.

When agencies like the FBI, DEA or Secret Service seize crypto, it is transferred into government controlled wallets managed by the US Marshals Service under the Asset Forfeiture Program. After courts approve forfeiture, the Marshals Service sells or holds the crypto and sends proceeds to the Treasury Forfeiture Fund for victim restitution and law enforcement budgets.

In October 2024, CMDSS was awarded a contract to manage and dispose of Class 2 to 4 digital assets, which are tokens not widely supported by major exchanges and require special handling. This contract runs alongside a separate Coinbase contract that manages mainstream assets like Bitcoin and Ethereum.

ZachXBT’s investigation shows that the wallets involved in the theft were within this contractor managed custody layer, directly tying the incident to CMDSS’s operational domain.

Custody controls explained multi sig MPC cold storage HSM key ceremonies

Government crypto is protected by layered cryptographic and procedural controls that prevent any single person from moving funds alone.

These controls include:

• Multi signature wallets that require multiple keys to approve a transfer
• Multi party computation that splits private keys into independent shares
• Cold storage that keeps keys offline
• Hardware security modules that store and use keys inside tamper resistant devices
• Formal key ceremonies that document how keys are generated, stored and accessed with witnesses and audit trails

Because ZachXBT proved that tens of millions left government wallets, the failure was not cryptographic. It was a process and access control failure, meaning someone with legitimate signing power or infrastructure access misused it.

Insider and contractor pathways permissions segregation of duties audit logging

Access controls SLAs and audit logging in contractor managed custody

Contractor based crypto custody relies on strict access controls, contractual service level agreements and immutable audit logs to prevent insider theft.

• Best practice requires
• Multi factor authentication and role based access control
• Transaction approval thresholds and spending limits
• Physically secured cold storage environments
• Comprehensive audit logs that record every privileged action and are reviewed by independent teams

ZachXBT alleges that John Daghita gained access to government wallets through his father’s company CMDSS. After the allegations became public, CMDSS deactivated its website and social media accounts, reducing transparency around its internal controls.

Segregation of duties and key ceremony documentation requirements

No single person should be able to request, approve and execute a crypto transfer. ZachXBT’s finding that more than 23 million dollars could be consolidated into one wallet indicates that at least one of these safeguards failed.

• Government custody systems require
• Separate staff to initiate transactions
• Independent approvers
• Distinct key holders
• Independent accounting and reconciliation
• Documented key ceremonies with signed logs, identity verification and video recordings

Recovery prospects and governance tracing freezes oversight incident response

On chain analysis ZachXBT signals and coordinated freeze requests

ZachXBT’s on chain analysis enables exchanges and stablecoin issuers to freeze stolen government crypto when it moves.

ZachXBT reconstructed the theft using a Telegram screen share, identifying a Tron address holding 2.3 million dollars, a 6.7 million dollar ETH transfer, and a consolidated wallet that received 24.9 million dollars from a US government address in March 2024.

When stolen funds reach centralized exchanges or stablecoin issuers, law enforcement can issue freeze orders. Funds routed through instant exchanges, bridges or privacy tools are much harder to recover.

Quick Fact: BingX exchange is offering exclusive perks for new users and VIP traders.

Oversight by DOJ and USMS incident response playbooks

Oversight of US Marshals crypto custody is handled by the Department of Justice Office of the Inspector General.

A DOJ audit previously found that the US Marshals Service relied on spreadsheets and weak inventory tracking, even while key storage itself was secure. This creates blind spots where funds can move before alarms are triggered.

In a breach, federal agencies follow NIST incident response frameworks that include detection, containment, investigation and recovery, even though detailed USMS crypto playbooks are not public.