The Beginning and End of the Case of the Seized Cryptocurrency Stolen by Hacker Contractors in the United States

Recently, an internal theft case involving the seizure of over $40 million in crypto assets has opened a rift between the on-chain world and traditional law enforcement systems. The accused is John Daghita, known online as “Lick”, who has been identified by multiple on-chain analysts as a key figure in transferring large sums of money from addresses seized by the U.S. government. His father's company, CMDSS, previously participated as a government contractor in managing these seized crypto assets, creating a strong identity conflict between "official partners" and "potential parties involved." As more details emerge, a glaring question arises: why are those considered the "safest" on-chain assets, held in government custody, targeted first by "people from their own camp"?

Group Chat Showoff Exposes: 40x Asset Discrepancy Sparks Suspicion

● A "showoff" display in a group chat became the catalyst for the entire incident. According to reports, John showcased a screenshot of his Exodus wallet in a chat group, with a balance far exceeding reasonable expectations of his financial situation. This almost boastful behavior seemed illogical to those familiar with his background, triggering the first wave of questioning about "where this money came from," and providing specific clues for subsequent on-chain tracking.

● Prior to this, there was a general impression of John's known wealth and income level within the community, but the sudden appearance of massive crypto assets in the screenshot created a "dramatic discrepancy of dozens of times" with his existing image. This discrepancy was not just a jump in wealth amount but also an anomaly in the time span—without any public disclosure of significant investments or successful entrepreneurial stories, the asset curve showed an unusually steep rise, making "abnormal sources of funds" almost the only explainable path.

● On-chain trackers began their investigation from this showoff behavior, comparing the wallet information and asset composition revealed in the screenshot with publicly available on-chain data. By tracing the historical flow records of suspected addresses, they tracked upstream, gradually outlining a funding migration path that highly overlapped with government-seized asset addresses. Thus, this "invisible theft," originally buried beneath block heights, began to manifest as a public event that could be narrated and questioned.

From Seized Addresses to Hacker Wallets: $90 Million On-Chain Suspicion

● Decentralized detective ZachXBT and other on-chain analysts pointed out in public investigations that some addresses associated with John intersect with over $90 million in stolen funds. This judgment is not baseless but is based on multiple on-chain evidences: including sources of fund inflow, overlap with transaction patterns of known stolen addresses, and the behavior patterns exhibited when funds jump between multiple addresses, showing typical characteristics of money laundering and evasion of tracking.

● Among the suspicious links involving over $90 million, some funds have been further identified as suspected abnormal outflows from U.S. government-seized assets. Public information indicates that at least one large transfer of about $24.9 million, along with a total exceeding $40 million, is suspected to have originally belonged to crypto assets seized and held by the government, yet quietly left the official control addresses without any formal disposal announcement, entering wallets associated with John, raising strong distrust in the custody chain.

● More symbolically, some of the assets suspected of being "re-stolen" trace back to crypto assets seized by the U.S. in the Bitfinex hacker case. At that time, these assets were seen as a "sample" of law enforcement successfully countering hacker attacks, symbolizing the state's ability to reclaim stolen on-chain value. However, on-chain data now shows they have again flowed from official addresses into suspicious wallets, indicating that this asset pool, originally regarded as a "safe sample," has itself become entangled in a new hacker narrative.

Father's Company Holds Contracts: Custodian Becomes Suspect

● The impact of the incident stems from the overlap of blockchain graphs and real-world contractual relationships. Reports show that John’s father's company, CMDSS, held a contract with the U.S. government, one of its tasks being to assist in managing seized crypto assets and their related infrastructure. This means that CMDSS had direct connections to the daily management of these seized assets in terms of technical architecture, system access, and operational processes, providing its employees or associated personnel with higher visibility and potential access than ordinary outsiders.

● From a narrative perspective, this is a typical "guardian becomes suspect" reversal structure. To compensate for internal technical and manpower deficiencies, the government outsourced the custody of blockchain assets and infrastructure operations to contractors, but in this delegation process, new systemic risks were introduced: contractors possess highly centralized access capabilities, and if internal personnel abuse their privileges or exploit information asymmetry, they could potentially transfer assets unnoticed for a long time, turning what was intended to enhance security into a breakthrough point for asset theft.

● After the incident was pushed into the public eye by on-chain investigators, CMDSS's X account, official website, and LinkedIn page were all deactivated or inaccessible. This chain reaction itself constitutes a strong "negative space narrative"—without official detailed explanations, the sudden collective blackout of external windows related to the contractor allows the public to more intuitively feel the significant impact this incident has on the reputation, business prospects, and its relationship with the government of the involved parties.

Custody Trust Collapse: How the Government Lost in Permission Design

● This case exposes a long-underestimated reality: in the field of crypto assets, governments often rely on outsourcing contractors with specialized technical capabilities to manage seized assets and related infrastructure. However, this model has significant blind spots in governance and compliance—the legal framework remains rooted in traditional custody logic, while the programmability and instant transferability of on-chain assets require more detailed permission delineation, real-time monitoring, and stricter access audits. Otherwise, once a vulnerability appears in the contractor chain, losses will directly manifest as a decrease in on-chain balances.

● The current disclosed information does not provide complete details on how John specifically obtained access to control related assets, which means we cannot and should not speculate on the technical pathways of the crime. However, from an institutional perspective, potential structural risks can be seen: internal personnel leveraging their access to information, operating systems, or understanding of processes, in the absence of high-frequency audits and multiple checks and balances, are more likely to initiate covert thefts. This "internal permission risk" is harder to preemptively warn against and detect during the act compared to traditional external hacker attacks.

● If we compare the current custody model of seized assets with the custody systems in traditional financial systems, clear differences emerge. Traditional custody typically relies on multi-layered regulation, clearing reconciliation, third-party audits, and strict functional separation, while on-chain assets, despite having publicly transparent ledgers, often lack matching multi-signature structure design, real-time on-chain audits, and third-party monitoring nodes as institutional devices. The result is: when assets move, everyone can see it afterward, but before they move, there is a lack of sufficient warning and approval processes, and auditing and risk control mechanisms exhibit fatal delays in the time dimension.

Aftermath of the Bitfinex Case: The Symbol of Safe Samples Shattered

● Looking back at a longer timeline, the Bitfinex hacker case was one of the most iconic attacks in crypto history, and the subsequent assets seized and held by the U.S. should have symbolized a "reclaimed sovereign asset" in public narratives. For the market and ordinary users, these seized assets were seen as samples of hacker failure and the return of justice, meaning that once judicial red lines were crossed, even in a decentralized world, attackers would find it difficult to fully enjoy the spoils.

● However, in the recently exposed on-chain abnormal flows, some assets from the Bitfinex hacker case, already seized by the U.S. government, are suspected to have been stolen again, delivering a heavy blow to this symbolic meaning. Those funds originally regarded as "safe samples" have become the center of a new round of internal theft narratives, which not only undermines public confidence in the "safety of government-backed assets" but also makes the simple assumption that "seizure equals safety" precarious. The market is beginning to realize: even if assets have entered official addresses, it does not equate to absolute safety on a technical level.

● More alarmingly, the Bitfinex assets are just a highlighted case, behind which lies a broader landscape of seized assets. Various large-scale hacking cases, illegal fundraising, and money laundering cases often employ similar custody and outsourcing management models. If this incident exposes a structural institutional defect rather than an isolated accident, then other seized asset pools that adopt similar outsourcing models theoretically also face potential recurrence risks, which have yet to be clearly unearthed and linked on-chain.

Rewriting the Institutional Framework of Crypto Custody from This Internal Theft Incident

This theft case of seized assets triggered by "insiders" directly points to a long-ignored core issue: in the on-chain world, who exactly has the right to control, sign, and move those crypto assets that have already been judicially seized? When the government outsources technical execution to contractors, the gap that emerges between legal sovereignty and technical control is the institutional wound torn open by this incident. In the future, the U.S. and other jurisdictions will likely have to upgrade their systems in areas such as contractor admission and ongoing review, multi-signature and threshold signature custody structures, real-time public on-chain audits, and third-party monitoring, expanding "defense against external hackers" to "simultaneously defend against internal abuse of power." For every individual in the crypto world, this incident also provides a moment for calm reflection: in a system where all transfers are recorded in blocks, truly reliable trust cannot solely come from the word "official," nor can it blindly trust technical intermediaries; it must rely on verifiable permission designs, traceable audit trails, and continuously supervised institutional constraints.

Join our community to discuss and grow stronger together!
Official Telegram community: https://t.me/aicoincn
AiCoin Chinese Twitter: https://x.com/AiCoinzh

OKX Benefits Group: https://aicoin.com/link/chat?cid=l61eM4owQ
Binance Benefits Group: https://aicoin.com/link/chat?cid=ynr7d1P6Z

免责声明：本文章仅代表作者个人观点，不代表本平台的立场和观点。本文章仅供信息分享，不构成对任何人的任何投资建议。用户与作者之间的任何争议，与本平台无关。如网页中刊载的文章或图片涉及侵权，请提供相关的权利证明和身份证明发送邮件到support@aicoin.com，本平台相关工作人员将会进行核查。