How the Son of a USMS Contractor Stole Cryptocurrency from the US Government for Years

A scandal has erupted in the cryptocurrency community surrounding John Daghita, who is accused of stealing over $90 million in crypto assets, including funds from wallets controlled by the US government. According to an investigation by the well-known on-chain analyst ZachXBT, the thefts occurred between 2024 and 2025, with funds being transferred to addresses linked to the suspect.

Background of the Incident

The transfers from government wallets initially appeared as routine asset movements and did not raise suspicions. However, in January 2026, a dispute broke out in a Telegram hacker community about who had stolen more cryptocurrency. One participant, known as "John" or "Lick," accidentally revealed control over the wallets where the funds were flowing during the argument. During the online quarrel, he shared a screenshot of his Exodus Wallet, displaying addresses with millions of dollars in ETH and TRON, including $2.3 million on the address TMrWCLMS3ibDbKLcnNYhLggohRuLUSoHJg and an additional $6.7 million on 0xd8bc7ea538c2e9f178a18cc148892ae914a55d08.

ZachXBT analyzed the dispute records and traced the transaction chain backward. It turned out that part of the funds came from addresses associated with seizures by the US Marshals Service (USMS), including the theft of $24.9 million from a wallet linked to the Bitfinex hack in March 2024. In total, estimates suggest Daghita controlled inflows of over $63 million from suspicious sources in the fourth quarter of 2025, including $13.5 million from the address 0x77a722bf33787c3512d0f4fc36412140057f4223 and $15.4 million from 0xf51b044f998277b17467cd713d72b403e16fad48.

Connection to CMDSS

A key revelation was Daghita's family ties. His father owns Command Services & Support (CMDSS), which in October 2024 received a contract from the USMS for managing and selling confiscated crypto assets. This Virginia-based firm provides IT services to the government, including storage and disposal of seized assets. It is believed that access to government wallets through his father's company allowed Daghita to carry out the thefts without immediate detection.

Earlier, in September 2025, Daghita had already been arrested on suspicion of cybercrimes, but the connection to government thefts only surfaced thanks to boasting in Telegram. After ZachXBT published the investigation, the suspect deleted NFT usernames from his Telegram account and changed his nickname, and also sent a "dust attack" to the analyst's public address zachxbt.eth, a transaction of 0.0067 ETH ($20.01) with hash 0x25d3b02b17ccf5f0867bfbaa86c4cb918766d2b79e30cdcb7847298febfa2d15.

Reaction and Consequences

The US Marshals Service has initiated an investigation into the incident, expressing concerns about the security of cryptocurrency storage. This case highlights vulnerabilities in government contractor supply chains and raises questions about oversight of confiscated assets. In the crypto community, discussions are ongoing about how boasting in chats led to the downfall of a "brilliant hacker" who stole millions but fell victim to his own stupidity.

The total volume of thefts in the crypto industry in 2025 exceeded $3.4 billion, and incidents like this only intensify calls for improved security. Daghita has not yet been arrested on new charges, but evidence from on-chain analysis and dispute records makes the case promising for law enforcement.