On January 26, on-chain investigators revealed that a hacker named John Daghita (alias “Lick”) is suspected of stealing more than USD 40 million in crypto assets from on-chain addresses used by the U.S. government to store law enforcement–seized assets. The largest single transaction occurred in March 2024, involving approximately USD 24.9 million in assets previously confiscated by U.S. authorities from a major hacking case.
Public analysis suggests that these funds were not obtained through a direct technical exploit, but were more likely the result of abuse of access privileges.
IT Contractor Relationship Raises Questions About Access Control
Investigations indicate that John Daghita’s father owns a company called CMDSS, which holds an active government IT contract in the state of Virginia. The company’s work reportedly includes assisting the U.S. Marshals Service in managing and disposing of crypto assets seized during law enforcement operations. Based on on-chain behavior and timeline analysis, some observers speculate that John may have gained opportunities to access relevant systems or private keys through this relationship.
On-chain data further shows that, beyond U.S. government assets, addresses associated with John are linked to more than USD 90 million in stolen funds in total, with victims including non-government entities.
Identity Exposure Triggered by Social Behavior Missteps
Notably, the exposure of this incident did not originate from an official law enforcement disclosure, but from the suspect’s own social behavior. John reportedly engaged in a private chat with another hacker in a “show-off” exchange, during which he displayed his Exodus wallet and demonstrated fund transfers. The video later circulated publicly, and the wallet address shown was confirmed to have a clear on-chain link to the March 2024 theft of government-seized assets.
Following the public disclosure of this information, CMDSS’s social media accounts, official website, and LinkedIn page all became inaccessible.
A Practical Warning for Law Enforcement Asset Management
This case highlights a new risk landscape emerging as digital assets enter law enforcement and judicial systems. Compared with traditional financial assets, crypto asset management relies heavily on private keys and access permissions. If internal controls or personnel segregation are insufficient, even lawfully sourced and seized assets can be rapidly transferred out.
From a security perspective, such risks are no longer limited to external hacking attacks, but increasingly stem from governance challenges created by the combination of internal access privileges and on-chain anonymity.
The Importance of On-Chain Traceability and Compliance Capabilities
Nevertheless, the public and traceable nature of on-chain assets continues to provide a critical foundation for investigations. Through systematic analysis of address linkages, fund flows, and anomalous behavior, investigators can gradually reconstruct transaction paths and establish evidentiary connections.
In practice, on-chain risk identification and continuous monitoring in such scenarios are becoming important supplementary capabilities for law enforcement and institutional asset management. Analytical frameworks such as Trustformer KYT are primarily used to assist in identifying anomalous transactions and high-risk associations, offering an on-chain perspective to support custody management and compliance decision-making.
As crypto assets become more deeply embedded in public governance systems, how to establish more robust institutional boundaries between technological efficiency and access security will remain a long-term challenge for regulators and enforcement agencies.