The U.S. Marshals Service is investigating serious allegations that more than $40 million in seized digital assets were siphoned from government-controlled wallets by John Daghita, known online as “Lick.”
The claims were made public on January 23, 2026, by prominent blockchain investigator ZachXBT, and point to a potential insider breach involving a federal crypto custody contractor.
How the Alleged Scheme Worked
According to the on-chain analysis shared by ZachXBT, the alleged theft did not occur through a single exploit. Instead, the funds were reportedly drained gradually over several months, reducing the likelihood of immediate detection.
1/ Meet the threat actor John (Lick), who was caught flexing $23M in a wallet address directly tied to $90M+ in suspected thefts from the US Government in 2024 and multiple other unidentified victims from Nov 2025 to Dec 2025. pic.twitter.com/SBAFU5hTnE
— ZachXBT (@zachxbt) January 23, 2026
The assets were traced from government seizure addresses to wallets allegedly controlled by Daghita, before being routed through decentralized protocols and privacy mixers. This method is commonly used to obscure transaction trails and complicate forensic tracking.
Some of the funds are believed to originate from assets seized in connection with the Bitfinex hack dating back to 2016.
The Federal Contract at the Center
John Daghita is the son of Dean Daghita, president of Command Services & Support (CMDSS), a Virginia-based IT firm. CMDSS was awarded a federal contract in October 2024 to assist the U.S. Marshals Service in managing and disposing of seized “Class 2–4” digital assets, primarily altcoins and less liquid tokens.
The allegations suggest that insider access tied to this custodial role may have been exploited, raising questions about segregation of duties, access controls, and audit mechanisms surrounding government-held crypto wallets.
Silence From Authorities, Sudden Company Retreat
As of January 26, 2026, the U.S. Marshals Service has not issued a public statement confirming the investigation, nor has it announced internal audits or disciplinary actions. No formal criminal charges have been filed at this stage.
CMDSS, however, took swift action following the public exposure. The company deactivated its website and social media accounts, including X and LinkedIn, and removed employee information from public-facing pages, moves that have further fueled speculation.
A Broader Problem With Crypto Oversight
The incident has intensified scrutiny over how U.S. authorities manage seized digital assets. In February 2025, prior reports already indicated that the U.S. Marshals Service struggled with inventory management, at times unable to accurately estimate the total value of crypto assets under its control.
If substantiated, the current allegations would represent one of the largest known losses of government-held cryptocurrency, highlighting structural weaknesses in custody frameworks that were originally designed for traditional assets, not programmable, bearer-based money.
Why It Matters
Beyond the immediate legal implications, the case underscores a systemic risk: as governments seize and hold increasingly large volumes of digital assets, operational security and internal controls become just as critical as enforcement itself.
For institutional and sovereign holders alike, the episode serves as a stark reminder that crypto custody failures are not limited to exchanges and DeFi platforms, they can occur at the very heart of state-managed infrastructure.
