ZachXBT Uncovers Crypto Theft Network Linked to US Government Seizure Funds

Key takeaways

• Live wallet activity led to attribution. ZachXBT linked a user known as “John” or “Lick” to over USD 90 million in suspected illicit funds through real-time wallet exposure on Telegram.
• Bitfinex seizure funds traced to suspect. Roughly USD 24.9 million from a US government-controlled wallet tied to Bitfinex was traced to wallets attributed to “John.”
• Funds moved using laundering patterns. Assets were split, cycled through exchanges and bridges, then reconsolidated — a common laundering structure.
• Alleged link to custody contractor. ZachXBT alleged the suspect may be related to an executive at a firm contracted by the US Marshals Service. Claims remain unverified.

‍

{{horizontal-line}}

‍

On January 23, 2025, blockchain investigator and TRM partner ZachXBT publicly disclosed, via his X account, findings linking a pseudonymous crypto user known as “John” or “Lick” to more than USD 90 million in suspected illicit cryptocurrency activity, including funds tied to a US government-controlled wallet holding seized assets from the 2016 Bitfinex hack. These seized funds, in part, would contribute to the US Strategic Bitcoin Reserve referenced in the March 2025 Executive Order on Digital Assets.

The exposure stemmed from live wallet activity during a private Telegram exchange, providing rare real-time attribution evidence.

January 23, 2025: Public disclosure by ZachXBT

On January 23, 2025, ZachXBT published an investigation alleging that an individual operating under the handles “John” and “Lick” controlled a network of wallets associated with multiple fraud and theft schemes. ZachXBT further alleged that the individual’s real name is John Daghita and that he may be related to Dean Daghita, president of Command Services & Support (CMDSS), a Virginia-based firm awarded a US Marshals Service contract in October 2024 to assist with custody and disposition of certain classes of seized cryptocurrency.

These allegations have not been adjudicated in court, and no criminal charges have been announced in connection with the claims.

Origins of the attribution: Telegram “band-for-band” exchange

The investigation originated earlier on January 23 during a recorded dispute in a private Telegram group, where several pseudonymous but well-known crypto participants engaged in a “band-for-band” exchange. In this context, participants attempted to prove relative wealth by displaying and moving cryptocurrency holdings in real time.

During the exchange, the user known as “Lick” screen-shared an Exodus wallet displaying a TRON address holding approximately USD 2.3 million. Over the course of the interaction, an additional USD 6.7 million in ether was transferred live into an Ethereum address. By the end of the exchange, roughly USD 23 million had been consolidated into a single wallet.

Because the transactions occurred live and were accompanied by screen-sharing, ZachXBT was able to directly observe address control, transaction hashes, and wallet consolidation behavior, enabling high-confidence attribution.

On-chain tracing and link to government-controlled wallets

Tracing the consolidated wallet activity backward, ZachXBT identified flows originating from a US government address that received seized funds from the 2016 Bitfinex hack. Specifically, one upstream transaction showed a transfer of approximately USD 24.9 million from a government-controlled wallet in March 2024.

ZachXBT had previously flagged anomalous activity involving that government wallet in October 2024, when approximately USD 20 million was drained. The majority of those funds were reportedly returned within twenty-four hours, though roughly USD 700,000 routed through instant exchanges was not recovered.

The January 23 wallet consolidation placed remaining funds into an aggregation address labeled “John b4b,” reflecting deliberate reconsolidation rather than incidental exposure.

Observed laundering patterns

The traced activity reflects a familiar laundering structure. Funds moved from victim and seizure-linked addresses into intermediary theft wallets, where value was split, recombined, and cycled through multiple hops. Assets were routed through a combination of centralized exchanges, non-custodial services, decentralized exchange infrastructure, and cross-chain swap mechanisms, consistent with efforts to introduce liquidity and obscure provenance before reconvergence.

The TRM visualization above, which was shared by ZachXBT on X, illustrates repeated interactions between exchange services, theft addresses, and the final aggregation wallet attributed to “John.”

Unverified allegations regarding custodial contractors

ZachXBT also noted that the alleged wallet controller may be related to an executive at CMDSS, a firm contracted by the U.S. Marshals Service to assist with custody of seized digital assets. Company records confirm Dean Daghita serves as president of CMDSS. ZachXBT emphasized that these claims remain allegations and should be treated as unconfirmed pending further evidence or official action.

Implications for enforcement and oversight

Any movement of funds tied to government-controlled wallets is likely under active monitoring by US authorities. The public exposure of alleged control over such assets is highly unusual; historically, investigations of this scale rely on covert tracing, exchange cooperation, and prolonged legal processes rather than voluntary disclosure.

This case underscores a recurring reality of blockchain investigations: even sophisticated laundering operations can unravel through overconfidence, public exposure, or operational error. Immutable on-chain records allow investigators to reconstruct complex financial activity over time, even when value moves across multiple chains and services.

TRM Labs works closely with law enforcement and investigative partners to provide blockchain intelligence that supports attribution, transaction tracing, risk assessment, and the disruption of illicit activity across the digital asset ecosystem. Through the Beacon Network, TRM also enables real-time collaboration between public authorities, trusted investigators like ZachXBT, and virtual assets service providers, allowing illicit transactions to be flagged quickly and supporting timely interdiction and seizure of criminal proceeds.

‍

{{horizontal-line}}

Frequently asked questions (FAQs)

1. Who is the individual ZachXBT linked to the suspected crypto theft network?

ZachXBT attributed the activity to a pseudonymous user known as “John” or “Lick,” and alleged that his real name is John Daghita. The claims remain allegations and have not been confirmed by law enforcement.

2. How are the seized Bitfinex funds connected to this investigation?

The investigation traces USD 24.9 million in funds from a US government-controlled wallet containing Bitfinex seizure assets to wallets attributed to “John.” Anomalous activity from this wallet was previously flagged in 2024.

3. What is a “band-for-band” exchange in crypto communities?

A “band-for-band” exchange is a wallet flex ritual on Telegram where users demonstrate wealth by displaying live wallet balances or making real-time transactions — a practice that can inadvertently expose control over sensitive addresses.

4. What laundering techniques were observed in this case?

TRM’s analysis indicates that assets were cycled through multiple wallet hops, centralized and decentralized exchanges, and cross-chain bridges — a known tactic to obscure source of funds before reconsolidation.

5. Is the individual connected to a government contractor?

ZachXBT suggested a familial link between the alleged wallet holder and Dean Daghita, president of CMDSS, a contractor for the US Marshals Service. These claims have not been substantiated and are considered unverified.