The US Marshals Service (USMS) says it is investigating a potential breach of its digital wallets, which hold billions in seized crypto, after an internet sleuth linked a $60 million theft to a hacker bragging about it on “The Com.”
-
Hackers allegedly drained more than $60M from government-linked crypto wallets — and bragged about it online.
-
An on-chain investigator spotted the theft during a hacker argument, triggering a federal probe.
-
One suspect may be tied to a contractor that helps manage seized government crypto assets.
The USMS, which manages crypto seized or forfeited in federal criminal cases, confirmed the investigation to Bloomberg News on Wednesday, without providing any details.
What's more, it appears the hacker's father runs a Virginia-based company contracted with the federal government to help the US Marshal Service liquidate its seized assets.
“At this time, we will not be making any statement as the matter is under investigation,” an agency spokesperson said in the email.
One of the USMS crypto wallets was allegedly drained of more than $60 million in late 2025, with another $24 million heist observed by ZachXBT dating back to October 2024.
How the $60M wallet breach was exposed
Digital investigator ZachXBT uncovered the purported theft after recognizing government-linked wallet addresses, “screenshared” during an online argument between two hackers trying to prove who had more crypto in their wallets.
The self-proclaimed 2D investigator said he simply began “tracing backwards to verify the source of funds.”
Patrick Witt, executive director of the President’s Council of Advisors for Digital Assets, acknowledged the claims on X earlier this week, posting that he was “on it.”
Update: Patrick Witt (Executive Director for the US President’s Council of Advisors for Digital Assets) & USMS have both stated they are looking into the incident. pic.twitter.com/swzg3PsUVD
undefined ZachXBT (@zachxbt) January 27, 2026
It all took place in a group chat on The Com – an online ecosystem made up of multiple cybercriminal networks that has grown exponentially over the past four years, according to an FBI public service warning.
Short for “The Community,” The Com has thousands of members, many of them minors, carrying out a wide range of digital crimes across the US, Canada, and the UK, including child sex abuse and offline violence.
ZachXBT shared a series of posts on X this week, saying he believes the attacker-controlled wallets are linked to more than $90 million in suspected thefts, including $23 million of government-seized crypto funds.
Hackers allegedly exposed themselves in crypto flex fight
Apparently, unaware he was being recorded, the suspect – a threat actor known as John “Lick” Daghita – was boasting about his crypto stash to another hacker, Dritan Kapplani Jr., during a “heated argument” on The Com.
In fact, these boasting sessions are a common occurrence among members and even have their own nickname: “band for band,” or “b4b.”
“Meet the threat actor John (Lick), who was caught flexing $23M in a wallet address directly tied to $90M+ in suspected thefts from the US Government in 2024 and multiple other unidentified victims from Nov 2025 to Dec 2025,” one X post reads.
In another bizarre twist, it seems John “Lick" reached out to ZachXBT on Monday, actually sending him approximately "0.6767 ETH ($1.9K) of the stolen government funds to his public wallet address.
ZachXBT posted that any stolen funds he receives will be sent directly to a USG seizure address.
Family contractor link raises red flags
On Tuesday, the on-chain detective connected even more dots, alleging the suspect's family business – CMDSS – "currently has an active IT government contract to assist the USMS in managing/disposing of seized/forfeited crypto assets.”
Dean Daghita, president of CMDSS, happens to be John Daghita's father.
“In case you are curious how John Daghita (Lick) was able to steal $40M+ from US government seizure addresses,” ZachXBT wrote.
Listed as a verified Service Disabled Veteran Owned Small Business and founded in 2011, Command Services & Support Inc., CMMDS describes itself as "a proven provider of mission-critical services to the Department of Defense and Department of Justice."
ZachXBT also couldn't help but point out the stupidity of publicly showing proof of wallet ownership, addresses and all.
“Threat actors continue showing off stolen funds in leaked recordings rather than simply just staying quiet after an alleged theft from the US Government… making this an easy future case for law enforcement,” he said.
The US Marshals Service oversees custody, liquidation, and disposal of digital assets seized during federal investigations, in addition to protecting judges, tracking fugitives, and operating the US witness protection program.
A Freedom of Information Act request obtained by The Rage last year revealed that the US Marshals Service was holding 28,988 forfeited bitcoin worth roughly $3.4 billion as of July.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked