A crowbar is the beginning of some heists. This one started with a group chat insult. In January 2026, a 21-year-old wanted to win an argument in a private Telegram channel. So he did what a certain type of crypto trader does when confronted by a stranger who thinks the money is fake: He opened a wallet on the screen and played around with the money. It did, the bragging rights lasted for about as long as they do on the internet. What he unknowingly had given that stranger on the other side of the argument was an on-chain trail with a timestamp all the way back to wallets he thought were tightly controlled and bound in the safekeeping of the United States government.
Two months later, French tactical officers were outside a rented villa on a small Caribbean island, and the young man from that Telegram argument, John Daghita, was in handcuffs. He is alleged by the FBI to have defrauded the U.S. Marshals Service, the federal agency that seizes cryptocurrency and other digital assets in criminal cases until courts determine their disposition, of more than $46 million in cryptocurrency.
What’s so special about this case is not just the amount of the sum, $46 million is a lot of money by today’s crypto-criminal standards. It’s what Daghita is alleged to be. He wasn’t an external hacker who used a firewall to get in. Federal prosecutors say he was an insider, a “keys to the kingdom” sort of guy. Daghita actually had a job at a small Virginia contracting company that the Marshals Service trusted to help secure its digital assets after they were seized and it was the position of Cryptocurrency Subject Matter Expert. His father was the head man of that firm.
It is the saga of how that access allegedly was used, the bragging match in a private chat room that unraveled the entire scheme, and the case that started with a screen recording that led to a federal indictment, an international manhunt, and a fast-tracked extradition out of the French Caribbean.
Who is John Daghita?
Investigators say that at the time of the theft, 21-year-old John Daghita (his full name in federal court records is John Dean Daghita). He had a childhood of being surrounded by the family business. His father, Dean Daghita, is president of Command Services & Support, or CMDSS for short, a Virginia-based company that has been in business for over a decade and supplies IT and operational support services to federal agencies including the Department of Defense and the Department of Justice. A copy of the company’s marketing literature from a prior year paints a picture of a company that centers on management strategy, enterprise IT solutions, systems administration and electronic security work, the stuff that doesn’t necessarily make headlines. Prior to this case, CMDSS was a small fish in a big pond and was known, if at all, only for its one “mission-critical” contract, which would eventually be the subject matter of a national news story.
In this world, Daghita had another name. He was known as “Lick” or “John” in crypto trading circles and on Telegram and had acquired a minor online persona for his habit of flaunting his wallet balance and baiting other traders, a persona that would come back to bite him in the behind. Prior to his arrest, few had related the internet character “Lick” to a non-public Virginia government contractor’s son.
In January 2025, that is when things changed, when the federal indictment against him alleges that he was hired by CMDSS as a “Cryptocurrency Subject Matter Expert. This was no casual thing, nor was it a clandestine use of the kid borrowing his dad’s laptop at night. Daghita actually worked a job, actually played a role and prosecutors say he actually had access to the hardware wallets that CMDSS held cryptocurrency in, which the U.S. Marshals Service seized. He previously had his role at the company on his LinkedIn profile. It was lost not long after the allegations were made public, as was the rest of CMDSS’s online presence.
It’s not clear whether Dean Daghita knew how his son was allegedly using that access, and as of the last report, he has not been charged in the case. But that’s what blockchain investigator ZachXBT said in the post when he first connected the dots publicly, raising the alarm in January 2026, and saying that it was unclear how exactly the younger Daghita had acquired the level of access that he apparently had. What is becoming apparent is that the system, whatever it resembled day-to-day, placed a 21-year-old man with a showy online personality in a position to move tens of millions of dollars in taxpayer and forfeiture funds without anyone else being involved.
How a Contractor’s Son Got the Keys to Millions in Seized Crypto
Unfortunately, the answer to why any of this was supposedly possible is to understand what CMDSS did for the government. In October 2024, the U.S. Marshals Service awarded it a contract valued at approximately $4 million to assist in the management of what it internally refers to as class 2-4 cryptocurrency that, for some reason or another, cannot be easily liquidated via major exchanges.” It’s a category that can contain exotic or little-known coins, some little-used tokens, or assets that carry legal issues behind them, and may be the subject of an intricate criminal case that takes years to settle.
A handful of the properties listed under the CMDSS umbrella were actually in historic cases. Of these, multiple reports detail assets associated with the hacking of one of the largest cryptocurrency exchanges, Bitfinex, in 2016, which resulted in federal investigators recovering billions of dollars in bitcoin in 2022, followed by guilty pleas from the couple later found guilty of laundering the bitcoin. It seems that years after that recovery, part of the recovered money was still in government-controlled wallets awaiting processing and for sale when Daghita allegedly got hold of it.
The CMDSS setup had already come under the spotlight even before the claims of theft were made. One of those companies, Wave Digital Assets, protested the initial award of the contract in October 2024 on the grounds that CMDSS did not have the necessary registrations, and questioned whether a former Marshals Service official might have been involved in a conflict of interest. The GAO considered the complaint and denied the protest, which meant that the contract could proceed as scheduled. Looking back, it seems like a red flag that was ignored by all but a handful of contracting experts.
What was revealed later is that the government’s seized crypto was said to have been held in hardware wallets held in an Arlington, Virginia, office of CMDSS in a so-called single-signer configuration. That is, one person’s private key was all that was required to transfer the money. There was no second person to approve things, no multi-signature process and no separation of duties between the day to day wallet manager and the person with the authority to remove money from the wallet. It was the type of single point of failure our crypto wallet security guide warned every day holder of cryptocurrencies to look out for and yet it was residing under the hands of tens of millions of dollars of government money. It is a very thin layer of security for an office that has tens of millions of dollars in taxpayer and forfeiture funds and it is the detail that made an obscure back-office IT contract a national news story.
The Marshals Service Has Been Here Before
Let’s take a moment to consider what it is the U.S. Marshals Service does, for this is the reason why this story hit so hard. The agency is the chief manager of property seized and forfeited in federal criminal cases across the country. For much of its history, that was cars, boats, houses and stacks of cash that came out of the drug investigations. For the last decade, it has become more and more synonymous with cryptocurrency, seized in takedowns of dark web markets, in romance scams and pig butchering scams, in ransomware incidents and in large-scale hacks of cryptocurrency exchanges. The agency now has hundreds of millions of dollars in digital assets at any given time, scattered across a jumble of internal systems and outside contractors, and estimates based on the reporting on the case in recent weeks suggest the government has taken control of some $600 million in digital assets in its seizures over the past few weeks. When you multiply that volume by dozens of cases that are happening right now, it’s easy to understand why proper and centralized accounting has been so difficult to achieve.
This is not the first instance of someone with access to the government’s cryptocurrency case taking advantage of the situation. In 2015, two federal agents involved in the initial Silk Road dark web marketplace investigation (one from the DEA, the other from the Secret Service) were separately convicted of diverting the proceeds of the Silk Road investigation to their own accounts during the running of the case against Silk Road’s operator. It’s one of the less-heralded instances of in-house corruption in the early days of crypto law enforcement and a type of vulnerability that in this post-freakcase age is known to keep opening up new doors.
The common thread across both cases is access without accountability. When someone is given the keys to a government crypto wallet, whether a badge or job title, it’s typically a person’s integrity that is the biggest driver for the system rather than structural protections that would detect issues early. The Daghita case has once again brought into focus a debate that first erupted a decade ago and has yet to settle: should the government hold this much cryptocurrency via small contractors and individual custodians, or through the type of regulated, multi-party custody systems required of banks and licensed exchanges for their clients?
How the Alleged Theft Unfolded, Moving the Money
The federal indictment alleges that the scheme did not occur in one fell swoop. According to prosecutors, it started around the time Daghita turned 21 on December 15, 2025, when he began making three distinct transfers, each in the hundreds of thousands of dollars, from wallets held by his employer to wallets under his sole control. Nothing more happened, at least nothing investigators publicly described, for more than a month after that.
But on January 22 and 23, 2026, prosecutors say Daghita transferred a much larger sum, some $41 million, for a total of more than $46 million in a few weeks.
Particular to the indictment is one aspect, which is extremely bold. On Jan. 22, the day the larger transfers took place, the U.S. Marshals Service (USMS) sent a message to CMDSS requesting that approximately $2 million in virtual currency be sent back to an address under its control, seemingly as part of normal business, and without any apparent suspicion of wrongdoing at the time. Around 20 minutes after that request was made, Daghita instead transferred those particular assets to a wallet that did not belong to the government whatsoever, according to prosecutors. If the accusation is true, he must have been furtively pilfering from an account that no one was monitoring. He was allegedly diverting funds in near real time, even as their rightful owner was actively asking for them back.
Prosecutors say that by the time it was over, these wallets containing more than $46 million in digital assets belonging to the government had transferred to wallets controlled by Daghita in about five weeks, while CMDSS was tasked with keeping them safe.
The Telegram Flex That Blew It Open
This scheme involved quietly draining wallets, and it unraveled in sort of the most un-stealthy manner possible. Crypto trading circles, which are sometimes known as a band-for-band exchange, are a recurring feature of the crypto world in which two individuals in an online battle attempt to prove that their wallet is bigger and more legitimate, often in real-time and sometimes with the rest of the group watching. Daghita, who used the account “Lick,” was dragged into just such a squabble in a private Telegram group with a user who would later be identified in the reporting as Dritan Kapplani Jr., a self-described alleged threat actor.
The first to make a call, reportedly Kapplani, needled Daghita and challenged him to prove he was not using fake money. Daghita played the bait. He showed screenshots of an Exodus wallet with a Tron address, which contains about $2.3 million, then screen-shared the video while transferring approximately $6.7 million worth of ether to another address to prove his point. At the end of the exchange, one of Daghita’s wallets contained a combined total of approximately $23 million.
It was a pretty good method of winning an argument in the world of an online flame war. It was also, practically, an introduction to the purportedly stolen funds, via video, in a chat group that proved to be much less private than Daghita apparently thought.
Cracking the Case: How ZachXBT Traced the Money
The recording ended up being sent to a well-known blockchain investigator, known by the pseudo-name ZachXBT, who has been uncovering scams, hacks and thefts in the crypto industry for years from publicly available information on the blockchain alone. That has been the practice of exchanges, cops and blockchain analytics firms for years, and ZachXBT has been known for doing it for years before the official investigations even get started. Based on the wallet addresses that appeared in the recording, ZachXBT was able to track the money back to wallets that were managed by the U.S. government, including one wallet that had received nearly $24.9 million from another wallet reportedly linked to the U.S. government and the Bitfinex case.
Some of the money was, in turn, funneled through cryptocurrency mixing services, which are intended to combine deposits from numerous different users to make it much more difficult to trace any one deposit back to its origin. It didn’t work. Analysts, including those involved in the FBI’s investigation, were able to demix the transactions, peeling off one layer of obfuscation at a time to maintain the trail, it was reported. That mixers slow tracing down, if they don’t stop it altogether and investigators usually have some idea of what they’re searching for.
When it comes to transactions on the blockchain, they’re designed to be permanent and public, and both are true in this instance. It’s part of the reason the supposed theft was possible to begin with, as the wallets and their histories are not hidden from anyone who knows where to look. But it’s also what has uncovered it. All transfers Daghita was alleged to have facilitated were recorded and could not be altered or deleted later without being traced, clustered and followed, even after allegedly running money through mixing services and transferring it back and forth from blockchain to blockchain to obfuscate its origin.
ZachXBT correlated the Lick persona with information suggesting it was Dean Daghita’s son and by late January 2026, he assembled enough information to go public with his findings, but first passed what he’d found on to U.S. law enforcement. That fact of bringing investigators in prior to publication is a big reason the case went as quickly as it did.
Daghita’s lack of reaction to his exposure didn’t help. Instead, he is rumored to have repeatedly trolled ZachXBT in Telegram and then sent small amounts of cryptocurrency that was allegedly stolen from the wallet to ZachXBT’s publicly known wallet address, in what is considered a dust attack. It’s a ploy sometimes employed to try to make it look as though someone’s at fault or just to irritate another user, but it was in this instance mostly a way to create another piece of evidence to an already damning chain of evidence. ZachXBT’s reply was equally caustic: Thanks for the last laugh, John.
At the same time, CMDSS’s website, LinkedIn page and X account were all silently removed from the Internet. At the end of January 2026, the U.S. Marshals Service told reporters that an investigation into the allegations was already in progress inside the agency.
Takedown in the Caribbean: The Arrest at Villa Sun Reset
Daghita was out of Virginia by early March 2026. He had moved to the small Caribbean island of Saint Martin, which is divided between the Dutch and French, and was believed to be at a villa he rented called Villa Sun Reset. French and American law enforcement finally got hold of him on March 4, 2026.
The operation was conducted by the French elite tactical unit Groupe d’intervention de la Gendarmerie nationale, based in Guadeloupe, with the participation of the International Cooperation Team Serious Crime Unit of the French Gendarmerie in Saint Martin, and the FBI. Officers allegedly used a deception tactic to have Daghita open the door and were able to arrest him without incident.
The arrest was made public the next day, with FBI Director Kash Patel posting on Twitter pictures of Daghita in handcuffs and recovered cash and hardware wallets from the Villa. He attributed the cooperation of the French forces and reported that the bureau would be doing whatever work necessary around the clock with international partners to find the individuals who attempt to defraud American taxpayers, no matter where they try to hide.
The case began with a stealthy transfer of digital assets between wallets on a computer screen and ended with a very tangible Villa, handcuffs, and a real door, all on a very real Island far, far away from Arlington, where the alleged whole thing began.
Cash, Lamborghini and Rare Telegram Handles: What Investigators Discovered
The items in the villa indicated that he was someone who had ceased to be concerned with concealing what he had. According to the arrest report, investigators discovered that the cash amounted to $239,348, a Rolex GMT-Master watch, several wallets labeled Trezor, which contained the stolen cryptocurrency, computers, phones, user IDs, passwords, and a passport. A handgun was also found on the property, loaded, as per at least one report.
That’s not the end of the spending trail outlined in the federal indictment. Prosecutors say Daghita used some of the stolen money to purchase a 2019 Lamborghini Aventador and spent over $2 million to acquire a few short, coveted Telegram username accounts, such as “@devil,” “@skid,” and “@fraud” accounts that have real value in some online communities, but that, in hindsight, seem more like a joke on Daghita’s part.
This was not particularly obscured. Most of it was found without breaking an encryption or cracking a password, but rather was in plain sight in a briefcase, on a wrist or parked in a garage. Again, as is often the case with such incidents, it’s a scheme that could be legitimately advanced, but the consequences are undone by all the normal human urges of showboating, spending fast, and trusting the wrong group chat.
Federal Indictment: What is John Daghita charged with
On March 26, 2026, a federal grand jury sitting in the Eastern District of Virginia returned a fifteen-count indictment against John Dean Daghita. The charges range from wire fraud to theft of public funds, money laundering and money transactions in violation of the law, which also includes, according to prosecutors, what Daghita did to move and try to disguise the money after the alleged theft.
It’s a timeline detailed in the indictment, which involves the transfer of the roughly $5 million on December 15, 2025, and the far larger transfer of funds on January 22 and 23 of 2026, totaling the $46 million at the heart of the case. The indictment also requests forfeiture, which asks the court to let the government keep not just the cryptocurrency, but anything that’s been bought with it, presumably the Lamborghini and whatever is left of those Telegram usernames.
Daghita was not yet arraigned on the charges, and he had not yet pleaded, due to his continued presence in French custody when the indictment was returned. In the American system of justice, he is presumed innocent until and unless prosecutors are able to prove the charges in court; nothing in the indictment itself is a finding of guilt. But a 15-count federal indictment is a big step up from an initial arrest warrant, and the Justice Department’s willingness to file it suggests that they are confident of a compelling case with hard evidence, much of which is on the blockchain ledger Daghita himself is alleged to have produced during that Telegram spat.
The charges for money laundering and unlawful monetary transactions are not merely ancillary to the theft charge. In fact, the movement or spending of money known to be the proceeds of crime, such as turning money into a vehicle, a watch or other purchases, can constitute a separate crime under federal law. The Lamborghini and Rolex don’t just feature as a colorful addition to a news story, either: They’re supposedly part of the evidence chain prosecutors intend to submit in court.
Under federal law in general, each of the charges Daghita faces has serious statutory penalties. A typical maximum sentence is twenty years for wire fraud/money laundering and a maximum of ten years for theft of government property/ stole public money. Those are maximums set by statute, not estimates of what a sentence may be, which would take into account Daghita’s criminal history, a plea agreement and the judge’s discretion.
The Extradition Process from French Custody to a US Courtroom
To arrest and hand over a suspect to an American judge is very different from arresting a suspect in the French Caribbean. Following his arrest, Daghita was jailed in French pretrial detention, believed to have been linked to Basse-Terre prison in Guadeloupe, while the French courts consider the U.S. request for his extradition.
That process can take a long time, often for many months, particularly if the defendant decides to challenge the transfer at every turn. Notably, however, Daghita did not. He reportedly requested extradition to the United States himself at his first hearing on May 21, 2026, stating he wanted to be extradited so he could appear before U.S. judges to explain himself. It’s a rare thing for a defendant to do that much damage to himself in this case, but it’s not unheard of for someone who figures that it’s better to drag out this fight in a foreign court than to move the case toward resolution.
The chamber of instruction at the Basse-Terre Court of Appeal in Guadeloupe officially confirmed the transfer request later in the month, paving the way for a speedy extradition. French officials had given the United States permission to move Daghita to the U.S. as of the latest public reporting, but it was not yet known when he would actually be transferred to be arraigned in a Virginia courtroom. There were also several reports that most, if not all, of the $46 million was already recovered, mostly because a large portion of it was said to be still in the hardware wallets taken when he was arrested. Due to the rapid pace of developments in this case, anyone who has been closely monitoring this scenario should not be surprised to hear more as Daghita’s transfer and subsequent arraignment unfold.
A Bigger Problem Than One Bad Actor
The Daghita case could easily be interpreted as an account of one irresponsible youth, with too much access and not enough sense. Well, in part. But the case is also a study in what the U.S. government does with the vast and rapidly increasing number of cryptocurrencies it seizes annually and the picture that has been painted in the reporting of the case has not been especially comforting.
The U.S. Marshals Service has admitted it does not have a precise figure on how much cryptocurrency it has at any given time in all of its current cases. In separate reporting, the same basic concern comes to the fore: “the lack of a clear and centralized policy for managing seized digital assets makes it difficult to account for, secure, and ultimately maximize the value of what is being held on behalf of the public. That’s not just an accounting problem when an agency is holding hundreds of millions of dollars of seized cryptocurrency in a big sprawl of contractors, offices and individual wallets. It is precisely the kind of opening which enabled a case such as this to occur in the first place.
It was not one of these things that no one noticed, a technical failure in some systems architecture document in the middle of the Daghita case. The way the contract was set up, it’s basically the same thing as the design itself: one contractor, one office, one set of keys, and controlling access to tens of millions of dollars in government property. So if you are looking for a non-technical explanation of the fact that a single private key can control a lot of money, we’ve got you covered with our guide to generating and storing private keys. Security researchers who have looked at the situation since have noted that the fixes required are pretty straightforward and involve things such as having a regulated, multi-signature custodian like a bank-chartered trust company, or an SEC-registered investment adviser with an independent qualified custodian, as opposed to a tiny IT contractor with a single point of failure.
There are still issues of oversight that predate the theft allegations, too. Well before anyone even suspected a theft was taking place, the original GAO protest centered around the manner in which the contracts for awards were awarded. The claims were publicly disclosed following this and the same firm was said to have filed a complaint with the Justice Department’s Office of Inspector General (OIG), requesting a formal investigation into the process of awarding the contract and requesting monitoring of the contract in the future. It remains to be seen whether or not the review has any impact on how future custody contracts will be structured.
This is happening at a time when the federal government is paying more attention to its cryptocurrency assets, with a recent executive order mandating the development of a centralized digital assets reserve, which will include a portion of the bitcoins and other tokens it already owns as forfeited assets. The aim of that policy was to regard seizures of crypto as an asset to be held as long-term strategic, not individually auctioned off. The Daghita case is sort of an unplanned stress test of that broader effort, a very public example of what can go wrong when custody and oversight don’t keep up with the size of those assets that would require responsible management for a reserve of that size.
While blockchain data renders money traceable long after the transaction, it’s only useful if those tasked with monitoring it are actually monitoring it closely enough to spot issues before they become eight-figure losses, officials at TRM Labs, the blockchain data firm that assisted the investigation, have said. The difference between the abilities to trace a theft and prevent it is where the Daghita case spent the majority of its existence for six weeks.
What’s next for John Daghita?
At this stage, assuming that extradition is granted and the majority of the purportedly stolen funds has been recovered, the case enters its next phase: a future arraignment in the Eastern District of Virginia and any mixed bag of pretrial motions, plea negotiations, or trial preparations that may be common to a case this large and complex.
In addition to the forfeiture proceedings set forth in the indictment, if convicted, Daghita would be subject to the maximum federal prison terms for wire fraud, theft of public funds, money laundering and unlawful monetary transactions. He’s reportedly said that he’s not seeking an extradition hearing anymore, so some case watchers have suggested that a deal might eventually become a possibility, although nothing has been officially said and the case is still in its early stages.
Whatever its impact is on Daghita as an individual, the case has already had an effect that will be difficult for the U.S. Marshals Service and the federal government at large to undo: It has brought to light just how weak the protections were for seized cryptocurrency. It is likely that more changes to the way future custody contracts are formed, more of the same in terms of reporting as the criminal case against Daghita continues to move through the federal court system over the next few months, and continued examination of the CMDSS contract.
It is going to be far trickier for CMDSS to salvage its reputation, no matter the outcome of the criminal case. After having been trusted with sensitive federal business, the company’s name is forever linked to one of the more bizarre insider theft incidents in the brief history of the government crypto custody business, and the company has no website and no social media presence. It remains to be seen what future federal work, if any, the company will have, or whether Dean Daghita’s involvement in a contract that is now the subject of a fifteen-count indictment will also be subject to further investigation.
The Bigger Lesson
It’s a little ironic that there’s a little ironic at the heart of this story. Among the other jobs of the U.S. Marshals Service is to recover stolen funds, such as the Bitfinex bitcoin that the hackers allegedly ended up in the same wallets as Daghita allegedly did. This agency was created, in part, to recover these stolen funds and it appears they were hit with a hefty portion of its own cryptos.Created partly to recover these stolen funds, it appears that an agency lost a significant portion of its own holdings to an insider with a job title and a set of keys.
In addition, it is a case that barely warranted a high-tech federal investigation. In a group chat, where no one outside of that Telegram channel will ever remember, he’s the one who made a security mistake that turned into a major expense for tens of millions of dollars that was exploited by Daghita to catch him up, and he’s the one who provided the investigators with the trail that ended his run. No matter what happens in court over the coming months, the case has already become the benchmark for anyone considering the custody of high-value digital assets whether of the public or private variety and the number of hands that should be on them.