On-chain detective ZachXBT has identified the perpetrator who siphoned off $40 million from a US government wallet. The address was used for storing confiscated funds.
In case you are curious how John Daghita (Lick) was able to steal $40M+ from US government seizure addresses.
John’s dad owns CMDSS, which currently has an active IT government contract in Virginia.
CMMDS was awarded a contract to assist the USMS in managing/disposing of… https://t.co/lzR2a1aidA pic.twitter.com/PV0IkSuhVy
— ZachXBT (@zachxbt) January 25, 2026
The culprit was identified as a user with the nickname John “Lick” Daghita, the son of Dean Daghita, CEO of CMDSS.
In October 2024, this firm secured a contract from the US Marshals Service to manage and dispose of confiscated cryptocurrencies classified as “Class 2-4.” This category includes coins not listed on major centralized exchanges.
Investigation
ZachXBT’s attention was drawn to a video recording of a conflict in a Telegram chat. A user named Lick was attempting to prove his financial superiority to opponents.
In the screen recording, the suspect displayed an Exodus wallet, which held approximately $2.3 million on its TRON address. Subsequently, in real time, John Daghita revealed another address on the Ethereum network, transferring $6.7 million to it.
3/ In part 1 of the recording Dritan mocks John however John screenshares Exodus Wallet which shows the Tron address below with $2.3M:
TMrWCLMS3ibDbKLcnNYhLggohRuLUSoHJg pic.twitter.com/jvcjIVEpaE— ZachXBT (@zachxbt) January 23, 2026
By the end of the conflict, one wallet had accumulated $23 million.
The on-chain detective linked these funds to the address 0xc7a2. In March 2024, $24.9 million was transferred to it from a government account holding confiscated Bitfinex assets.
ZachXBT reported the theft of approximately $20 million back in October of that year. Most of the funds were returned within a day, but $700,000, withdrawn through exchanges, could not be traced or recovered.
Another address belonging to Lick was linked by the expert to inflows of $63 million from suspected victims and government seizure addresses in the fourth quarter of 2025.
8/ 0xd8bc is tied to $63M+ inflows from suspected victims and government seizure addresses in Q4 2025.
Dec 2025
$13.5M
0x77a722bf33787c3512d0f4fc36412140057f4223
$15.4M
0xf51b044f998277b17467cd713d72b403e16fad48
Nov 2025
$3M
TACZPnbg2Fi2ppC3cGxQxZb95SqwAZVAw9
$1M… pic.twitter.com/3BjyLGXYhP— ZachXBT (@zachxbt) January 23, 2026
Fraudster’s Reaction
ZachXBT published the Telegram account identifier of the perpetrator, after which he promptly deleted all his NFT names and changed the display name in his profile.
Later, Daghita sent the on-chain detective $20 in ETH from one of the wallets linked to the theft.
Amid the uproar, the company’s website, as well as its pages on X and LinkedIn, were deactivated. The subject of the investigation started a Telegram channel.
Update: John Daghita (Lick) began trolling again on Telegram shortly after my post pic.twitter.com/iDHX5QpRcE
— ZachXBT (@zachxbt) January 25, 2026
ZachXBT also shared photos of John Daghita flaunting expensive watches and cars.
Only the son flexes watches / cars / pj pic.twitter.com/TW0HJYbhbn
— ZachXBT (@zachxbt) January 25, 2026
Back in December, the on-chain detective tracked a fraudster who stole over $2 million in a year using social engineering techniques.