The identity of a suspect who gained access to government wallets holding confiscated cryptocurrency and allegedly stole the funds has been revealed

Scandal of the year: confiscated U.S. crypto ends up in private hands

28.01.2026

261

5 min

In early 2026, investigators managed to link suspicious transfers of confiscated cryptocurrency to a real individual and confirm the criminal nature of the transactions. It turned out that the U.S. government lost $25 million worth of crypto. GetBlock AML Research presents the details of one of the most high-profile cases of 2026 so far.

Key Takeaways

  • Blockchain detective ZachXBT linked a user operating under the aliases “John” and “Lick” to more than $90 million in allegedly illicit funds by observing real-time activity of his crypto wallets during Telegram conversations.
  • Approximately $24.9 million held in a wallet controlled by the U.S. government and tied to the Bitfinex hack case was transferred to wallets attributed by ZachXBT to “John.”
  • The funds were split into smaller amounts, routed through exchanges and intermediary services, and later consolidated again — a common technique used to obfuscate transaction trails.
  • ZachXBT suggested the suspect may be connected to an executive at a company contracting with the U.S. Marshals Service. These claims have not been confirmed.

Publication of the Investigation

On January 23, 2025, blockchain detective ZachXBT publicly shared the results of his investigation on X, linking an anonymous crypto user known as “John” and “Lick” to more than $90 million in suspicious crypto activity. This total included funds associated with a wallet controlled by the U.S. government that stored assets seized after the 2016 Bitfinex exchange hack.

Some of these confiscated assets were later expected to become part of the so-called U.S. Strategic Bitcoin Reserve referenced in the March 2025 executive order on digital assets.

The discovery was made possible by real-time wallet activity during private Telegram conversations — a rare situation that allowed direct observation of who was actually controlling the digital funds.

Investigation Details

That day, ZachXBT published findings claiming that the individual using the aliases “John” and “Lick” controlled a network of crypto wallets linked to various scams and thefts. He also stated that the person’s real name may be John Dagita and that he could be related to Dean Dagita, the president of Command Services & Support (CMDSS), a Virginia-based company.

John Dagita

In October 2024, this company received a contract from the U.S. Marshals Service to assist with the storage and management of certain types of confiscated cryptocurrency.

How the Suspect Was Identified

Several well-known anonymous members of the crypto community took part in a so-called “band-for-band” exchange — an informal contest in which participants attempt to prove financial dominance by displaying and moving assets in real time.

During the exchange, the user known as “Lick” shared his screen and showed a crypto wallet containing an address with a balance of roughly $2.3 million. During the live conversation, an additional $6.7 million worth of Ethereum was transferred to another address. By the end of the exchange, approximately $23 million had been consolidated into a single wallet.

Because all transactions occurred in real time and were accompanied by screen sharing, ZachXBT was able to directly observe wallet control, transaction IDs, and the fund consolidation process. This allowed him to identify with a high degree of confidence who was controlling the funds.

Transaction Analysis and Links to Government Wallets

By tracing the flow of funds backward, ZachXBT discovered that part of the money originated from a wallet controlled by the U.S. government that held assets seized after the 2016 Bitfinex hack. One transaction in particular showed a transfer of approximately $24.9 million from such a government wallet in March 2024.

Earlier, in October 2024, ZachXBT had already flagged suspicious activity involving the same wallet, when roughly $20 million was withdrawn. Most of those funds were reportedly returned within 24 hours, but around $700,000 that passed through instant swap services could not be recovered.

Network graph linking Dagita’s addresses to confiscated assets. Visualization: ZachXBT

Actions by U.S. Authorities

On January 26, it was reported that the U.S. Marshals Service had launched an investigation into John Dagita. At this time, he is considered the primary suspect in the theft of more than $25 million in cryptocurrency from the U.S. government.

Subscribe to Getblock Magazine and stay up to date with the latest news from the world of cryptocurrencies and the digital economy