Behind the Hacking and Theft of U.S. Government Encrypted Assets

Eastern Standard Time, March 2024, news broke that the U.S. government had seized cryptocurrency asset addresses, and a case of "internal theft" emerged, quickly igniting discussions in the on-chain intelligence community: Suspect John Daghita (on-chain alias Lick) is accused of transferring over $40 million in cryptocurrency assets from wallets associated with the U.S. government, with the largest single theft amounting to approximately $24.9 million. More shockingly, multiple media outlets reported that his father is an executive contractor responsible for managing the U.S. Marshals Service's seized cryptocurrency assets, raising questions about whether the government custody, which should be the safest link, has instead become a breeding ground for "privileged insiders." A sharp question has arisen around this hacking theft case: once cryptocurrency assets are seized and entrusted to the government and its contractors, who is truly safeguarding these assets, and who is supervising these supervisors?

$40 Million Black Hole: The Trust and Assets Stolen

● Timeline of Events and Key Fund Flows: In March 2024, a transaction deemed "iconic" by on-chain intelligence appeared—approximately $24.9 million in cryptocurrency assets was transferred out from an address related to U.S. government-seized assets. On-chain analysis further revealed that this was not an isolated incident but part of multiple operations by the same suspected operator. Around this time, several abnormal transactions were tracked and marked, gradually piecing together a funding migration trajectory pointing to internal abuse of authority, allowing the "person" hidden behind the cold address to be concretely identified as a suspicious individual for the first time.

● Secret Connection to Bitfinex Hacker Case Seized Assets: Research briefs indicate that this approximately $24.9 million largest single theft originated from assets seized and managed by U.S. law enforcement agencies in the earlier Bitfinex hacker case. In other words, this is not ordinary collateral in judicial procedures but hacker proceeds that have undergone multinational tracking and difficult recovery, seen as part of a symbol of law enforcement victory. Now, this batch of assets, which once symbolized "justice reversal," has once again gone missing from the government wallet, ironically undermining the narrative that "the government is the ultimate security boundary."

● Single Source Claim of $90 Million Related Funds: On-chain analysis has provided preliminary estimates suggesting that activities around the related address may involve a total of over $90 million in stolen funds. However, this figure currently comes from a single source and lacks cross-verification from multiple parties, making it neither a precise statistic nor suitable for extending to specific case proportion breakdowns. Even understood as a "possible scale," this number is still sufficient to indicate that this is not just a few sporadic "opportunistic thefts," but rather a massive black hole accumulated under a long-term backdrop of loosened permissions.

● Breached Intuition of "Government Custody = Absolute Security": In the traditional financial world, once assets are seized by a court or law enforcement agency, they are often viewed as entering the "highest security vault." After cryptocurrency assets enter the judicial system, the public also habitually continues this intuition, believing that government custody wallets are almost unshakeable. This theft, allegedly initiated by an "insider," has marked the first time this trust has been explicitly priced on-chain: not only can money be stolen again, but it is highly likely to originate from the most powerful individuals within the system, which is psychologically more damaging than any external hacker attack.

Government Outsourced Custody: Where the Sense of Security Collapses

● Role of CMDSS and the U.S. Marshals Service's Commission Relationship: Research briefs show that CMDSS is a contractor company commissioned by the U.S. Marshals Service (USMS) to manage its seized cryptocurrency assets. On the surface, this is a routine operation of outsourcing professional technology to market entities: the government is responsible for judicial decisions and law enforcement, while specific high-level tasks such as private key custody, asset migration, and technical operations are entrusted to experienced third parties, thereby ostensibly improving efficiency and compliance. However, once the custody company itself becomes a source of risk, the entire outsourcing logic shifts from "collaborative division of labor" to "inviting wolves into the house."

● Outsourced Permissions and Structuring Arrangements Driven by Interests: In this model, the government does not personally hold every private key but outsources critical operational permissions—including address generation, asset aggregation, and transfer execution—to private contractors like CMDSS. The primary driving force for contractors is often profit and business expansion rather than maximizing public interest, and this inherent misalignment of incentives can solidify in daily process settings: to reduce costs and improve response speed, permissions tend to concentrate in the hands of a few "core technical personnel," making the boundaries of responsibility more ambiguous and leaving gray areas for potential insider actions.

● Systemic Risks of Permission Concentration and Lack of Transparent Audits: When a large number of seized assets are concentrated in a few service providers' controlled wallet clusters, and the external world knows nothing about their internal permission distribution, operational processes, and risk control reviews, systemic risks are already embedded. For on-chain observers, they can only see funds flowing between "official related addresses" but cannot discern whether this is routine adjustment, judicial disposal, or personal abuse of authority. The lack of real-time disclosure and independent audits means that any abnormal behavior may go unnoticed for a considerable time, until someone sees a "too large and strange" transfer on-chain and suddenly realizes that the vault has already been pried open.

● Signals of Official Website and Social Media Accounts Going Offline: Multiple media outlets reported that after the incident was exposed by on-chain analysts and media, CMDSS's official website and social media accounts were subsequently disabled or taken offline. This action may not necessarily equate to a "guilty confession" but could stem from multiple considerations such as legal risk control and public sentiment cooling. However, from an external perception, when a key contractor responsible for public custody chooses to "disappear from the internet" under pressure, it conveys more of a defensive and evasive posture rather than an open and transparent stance accepting scrutiny, further amplifying market doubts about its internal governance and compliance levels.

Father-Son Doubts: How the Privileged Channel Was Opened

● Public Identity Intersection of Suspect and His Father: Research briefs identify the suspect as John Daghita, on-chain alias Lick. Several Chinese cryptocurrency media outlets (such as Rhythm, Jinse Finance, PAnews, etc.) have reported that his father is the CEO of CMDSS, a piece of information that has been repeatedly cited in public reports, becoming a key background for understanding the case. It is important to emphasize that we are only quoting existing media statements and do not have the ability to independently verify their internal company position relationships, but in the public discourse, the narrative structure of "father as a custody company executive, son as a suspected hacker" has profoundly influenced the public's judgment of the nature of this case.

● Media Statements on "Managing U.S. Marshals Service Seized Cryptocurrency Assets": The aforementioned media generally use similar expressions in their reports—"CMDSS is responsible for managing the cryptocurrency assets seized by the U.S. Marshals Service." This statement corroborates the background of "commissioned by the U.S. Marshals Service to manage seized assets" in research briefs but should still be viewed as a media-level summary rather than an official contract full disclosure. In public opinion, the effect of this statement is very direct: CMDSS is no longer just an ordinary technical service provider but is seen as "the key lock managing the U.S. government's seized cryptocurrency assets," making any violations or criminal acts from within carry symbolic implications of institutional failure.

● ZachXBT's Speculation and Unknown Specific Pathways: On-chain analyst ZachXBT speculated in public statements that suspect John Daghita may have gained some access to the related custody address or system through his father. However, research briefs clearly state that the specific method of obtaining permissions remains unclear; we cannot confirm whether it was through formal positions, informal assistance, or technical system vulnerabilities, nor can we deduce the specific path of the crime. In reality, around this blank space, conspiracy theories and excessive imagination are most likely to thrive, while what truly deserves attention is how the permission structure allowed all of this to "possibly" happen.

● Institutional Hazards of Family Relationships Combined with Highly Sensitive Permissions: Regardless of the final judicial classification, this incident exposes a long-underestimated issue: when the custody rights of seized assets worth billions are entrusted to private companies, are internal family relationships, superior-subordinate relationships, and equity relationships subjected to sufficiently strict "conflict of interest isolation" mechanisms? If access permissions for key positions can form a closed loop within family or acquaintance networks, then any moral decline in one link could expose the entire system to significant losses, while external regulators may remain completely unaware.

On-Chain Detective Tracking: Who is Watching the Government's Wallet

● How Abnormal Transfers Were Initially Identified: The early clues of this case did not come from proactive official disclosures but from the on-chain community's long-term monitoring of "government-related addresses." An unusually large and anomalous transfer appeared on-chain, captured and marked by sensitive analysts, and then cross-referenced with existing government custody addresses and addresses related to the Bitfinex case, gradually piecing together a picture of "this money seems not to have been meant to flow this way." Driven by public discussion and data collaboration, the suspicious address and real identity were gradually locked in, forming a reverse portrait process from transaction hashes to real names.

● The Value and Limitations of On-Chain Transparency Against "Insider" Theft: This incident once again proves that on-chain transparency is one of the few technological tools capable of constraining those in power. Even if the person holding the private key attempts to quietly misappropriate assets internally, as long as the transaction occurs on a public chain, it permanently remains in everyone's ledger, leaving space for civil analysts to track. However, transparency does not equate to real-time visibility of the truth: on-chain only records "where the funds went" but does not record "who issued the instructions and whether it was compliant," making it difficult for ordinary observers lacking background information to identify many abnormal transfers at the time of the incident, which is also the fundamental reason why insider actions can exist with a time lag.

● How On-Chain Intelligence Forces Official and Contractor Responses: Once on-chain detectives publicly disclose suspicious patterns and associate them with the label of "government custody assets," public pressure will quickly transmit from the community to law enforcement agencies and contractors. Even if the official response is not complete in the short term, contractors will find it difficult to continue hiding the issues within internal processes. This bottom-up information exposure mechanism effectively fills the blind spots of traditional regulation: problems that only internal audits and regulatory agencies could see in the past may now be captured first by the on-chain community, forcing relevant parties to accelerate investigations, patch vulnerabilities, and adjust permission structures.

● The New Game of Civil On-Chain Detectives Participating in Government Asset Supervision: From a longer-term perspective, this incident marks the formation of a new type of game relationship: the cryptocurrency assets managed by the government and its contractors are no longer solely subject to traditional administrative and judicial supervision but are also under the microscope of global on-chain analysts. This "distributed supervision" raises the cost of wrongdoing while also imposing higher information disclosure requirements on public institutions—if the official side continues to refuse clarification, lacks regular reports, and verifiable address lists, on-chain public opinion may continuously amplify distrust in uncertainty, ultimately damaging not just a single company but the entire public authority's credit foundation in the cryptocurrency world.

The Risk of Trust Collapse Due to Regulatory Vacuum

● The Dilemma of "Who Supervises the Supervisors": When the U.S. Marshals Service entrusts seized cryptocurrency assets to organizations like CMDSS, the traditional regulatory chain often stops at contract and compliance reviews, rarely touching on the more fundamental issue of "whether the custodians themselves are being supervised in real-time." This case highlights precisely this weak link: when regulators choose to outsource, and the outsourcers hold actual control, while their internal actions lack independent third-party real-time verification, "the supervision of the supervisors" is almost in a vacuum. This is not only a technical issue but also a matter of responsibility boundaries—once assets are lost, who is responsible: the government, the contractor, or the ambiguous gray area between the two?

● The Harm of Lack of Unified Custody Standards and Real-Time Disclosure Mechanisms: Currently, there are very few unified, enforceable technical and procedural standards for the custody of government-seized cryptocurrency assets globally, and there is a significant lack of real-time disclosure mechanisms for the public: which addresses belong to seized assets, who manages them, under what circumstances transfers can occur, and how multi-signature structures are designed—this information is often treated as "internal data." In the traditional financial world, this opacity can barely rely on trust in institutional brands, but in the verifiable on-chain cryptocurrency world, once a counterexample occurs, a custody system lacking rules and disclosures can cause a psychological collapse of trust far greater than the amount of loss.

● The Necessity of a Combination of Technical and Institutional Defense Lines: From a professional perspective, to reduce the probability of similar incidents occurring, relying solely on moral constraints or post-fact accountability is far from sufficient. Technical and institutional tools such as multi-signatures, hardware isolation, permission layering, dual-operation reviews, third-party regular audits, and on-chain real-time monitoring should be used in combination rather than symbolically deployed one or two at a time. Especially in scenarios where the custody objects are judicially seized assets, potentially amounting to tens of millions or even hundreds of millions of dollars, concentrating key operational rights in a few individuals and lacking externally verifiable records and reports is itself a form of "designing with fire."

● Without Addressing Vulnerabilities, Government-Seized Assets Will Become "Prime Targets": If this case is treated merely as an individual crime without prompting a systematic reflection on the outsourced custody model, permission structure, and disclosure mechanisms, then new "prime targets" will only continue to accumulate. For hackers or insiders, government-custodied assets possess three highly attractive characteristics: large scale, high concentration, and an external assumption of safety leading to insufficient vigilance. Once they believe that internal risk controls are virtually non-existent and that the costs of detection and accountability are manageable, such seized assets will transform from "the highest security vault" into "the optimal target for risk and reward."

From Hacking Oddities to a New Order in Cryptocurrency Custody

This incident involving the theft of over $40 million in seized cryptocurrency assets has laid bare the structural and ethical risks hidden within the government and contractor contractual terms on-chain: concentrated permissions, regulatory vacuums, family relationships, and distorted outsourcing incentives collectively form a fragile system capable of prying open tens of millions of dollars in assets. It reminds the market not to equate "government custody" simply with "absolute security," especially when key functions are entrusted to profit-oriented private institutions, as the lack of conflict of interest isolation and independent audits constitutes a systemic attack surface. Meanwhile, this case also proves the long-term value of on-chain transparency and social oversight: civil analysts are approaching the truth through public ledgers, forcing officials and contractors to respond and rectify, thereby forming a new mechanism for public power checks and balances. Looking ahead, whether in the U.S. or other major jurisdictions, it will be difficult to continue the old practice of "black box custody" in the custody structure, permission management, information disclosure, and third-party audits of seized assets. Stricter multi-signatures and hardware isolation, clearer address whitelists and change rules, and more open on-chain reports and post-event audits may gradually be written into contracts or even legislation. Only when every asset operation by the government in the cryptocurrency world can be verified by society within a reasonable scope can a new custody order be truly established, and incidents like today's "hacking oddity" may have the opportunity to become a genuine watershed in history rather than a recurring prelude.

Join our community to discuss and become stronger together!
Official Telegram community: https://t.me/aicoincn
AiCoin Chinese Twitter: https://x.com/AiCoinzh

OKX Welfare Group: https://aicoin.com/link/chat?cid=l61eM4owQ
Binance Welfare Group: https://aicoin.com/link/chat?cid=ynr7d1P6Z

免责声明：本文章仅代表作者个人观点，不代表本平台的立场和观点。本文章仅供信息分享，不构成对任何人的任何投资建议。用户与作者之间的任何争议，与本平台无关。如网页中刊载的文章或图片涉及侵权，请提供相关的权利证明和身份证明发送邮件到support@aicoin.com，本平台相关工作人员将会进行核查。