The Federal Bureau of Investigation (FBI) arrested the son of a US government contractor on Wednesday for allegedly stealing over $46 million in cryptocurrency from the US Marshals Service.
The result stemmed from a January investigation carried out by crypto sleuth ZachXBT.
FBI Nabs Alleged Government Crypto Thief Abroad
Authorities arrested John Daghita, known online as “Lick” in the Caribbean Island of Saint Martin. The news came less than two months after news surfaced that Daghita had allegedly stolen tens of millions of dollars from US government seizure addresses.
The first to reveal it was ZachXBT. In a social media post from earlier this year, the crypto sleuth revealed that Daghita’s father owns Command Services & Support (CMDSS), a Virginia-based IT firm.
In 2024, CMDSS was awarded a contract to assist the Marshals Service with managing seized and forfeited crypto assets.
Daghita’s access to private crypto addresses through his father’s position at CMDSS reportedly facilitated the theft. However, the specifics remain unclear.
In his original investigation, ZachXBT reportedly traced at least $23 million to a single wallet linked to Daghita. In turn, this wallet was allegedly tied to over $90 million in suspected thefts from the US government and other unidentified victims spanning 2024 and late 2025.
Daghita’s alleged theft represents one of the most high-profile breaches of government-managed crypto assets in recent memory.
After the initial revelation, the CMDSS deactivated its website and all social media accounts.
A Small Firm With Major Federal Reach
CMDSS is not a minor player in government IT contracting. Over the years, the firm has maintained active contracts with the Department of Defense and the Department of Justice.
The incident raised concerns over how much sensitive information Daghita may have accessed before the scandal came to light. It also highlighted a recurring vulnerability in crypto custody, even within government frameworks.
According to ZachXBT, Daghita repeatedly provoked the investigator via his Telegram channel after the findings were published. The crypto sleuth also alleged that Daghita transferred small amounts of the stolen cryptocurrency to his publicly known wallet—a technique known as a dust attack.
In parallel, Bubblemaps unveiled that, two days after Daghita allegedly carried out the theft, he also created a meme coin called LICK on the Solana platform Pump.fun.
Findings showed that Daghita held 40% of the supply and that the token surpassed $1 million at one point.
