In January 2026, an "on-chain vault" belonging to the U.S. government's asset seizure system was looted by its own contractor: hacker John Daghita (online alias Lick), using the name of the CMDSS company, which he co-controls with his father, exploited the custodial permissions granted by government contracts to transfer over $40 million in cryptocurrency from the U.S. government's seized asset addresses, with the largest single transaction being approximately $24.9 million. Even more unsettling for the market, on-chain tracking revealed that the related addresses were linked to over $90 million in stolen funds (from a single source). When what should have been the safest government custodial vault turned into a "insider" hunting ground, the fundamental trust in cryptocurrency custody was sharply diminished.
From Government Vault to Theft Scene: How CMDSS Got the Keys
● Overlap of company and persona: Public information shows that CMDSS is actually controlled by John Daghita and his father, yet it transformed into an external partner of the U.S. Marshals Service, responsible for the management and disposal of "seized cryptocurrency assets." This role means it was granted legal permissions to access, organize, and even transfer seized assets, making it easier for ordinary security reviews to regard it as a "trusted third party," laying the groundwork for subsequent identity-based crimes.
● Invisible permissions in the custody process: According to standard procedures, after U.S. law enforcement agencies seize on-chain assets, they transfer funds from the involved addresses to a custodial address managed by contractors, with CMDSS responsible for daily custody, centralized management, and final disposal. This transfer itself implies that private keys or signing permissions are "outsourced" in the operational chain; as long as CMDSS holds key signing authority, it technically possesses the ability to transfer assets out again, shifting risk silently from judicial authorities to the outsourced vault.
● Bitfinex assets become primary targets: Among the assets under custody, tokens recovered and seized from the Bitfinex hacker case became key targets. What should have been a government vault representing the "recovery results" of the hacker incident, due to the insider risk from CMDSS, was repackaged into Lick's private hunting ground—essentially the same money, reclaimed from the hacker by the police, was again laundered through the government outsourcing chain, creating a stark contrast that made the victims and industry sentiment particularly sensitive.
A Single Transfer of 24.9 Million: A Huge Scar Left on the Blockchain
● Key large transfer paths: On-chain data shows that during January 2026, addresses originally marked as related to U.S. government seizures or custody saw multiple large transfers to new addresses, with the largest being approximately $24.9 million, flowing directly from the custodial address to an address cluster controlled by Lick. These transfers did not occur as expected through judicial auctions or official announcements, but were concentrated at unannounced times, resulting in an extremely abrupt trajectory on the on-chain timeline.
● Warning from the 90 million associated funds: On-chain analysis has suggested that the flow of funds around this batch of addresses is associated with over $90 million in stolen funds, but this claim currently comes from a single source. This means: on one hand, the involved funds may far exceed the confirmed $40 million; on the other hand, in the absence of independent verification from multiple parties, this figure should still be viewed cautiously and cannot simply be equated to "all confirmed losses," but it is sufficient to indicate the potential scale of the issue.
● Why abnormal transfers are hard to "quietly complete": In a transparent on-chain environment, the sudden appearance of transfers exceeding ten million dollars from addresses marked as "government seized" or long dormant is itself a key alert scenario for on-chain analysis tools and community monitoring. Once funds enter mixing, cross-chain, or high-frequency splitting paths, they are more easily flagged as "suspicious escape" by on-chain intelligence teams, which is why the related transfers in this case were quickly captured by the community and media, rapidly escalating from "on-chain anomaly" to a public incident of "theft from the government vault."
Hacker's Show-off Backfires: From Anonymous Lick to John Daghita
● Show-off contest ignites trouble: According to multiple reports, the catalyst for the incident was not traditional law enforcement investigation, but rather a "show-off contest" within the hacker community. Lick publicly flaunted screenshots of large on-chain assets he controlled on social media, showcasing transaction records and profit curves, attempting to prove his strength in front of peers. This kind of vanity behavior common among high-risk groups directly turned funds that could have been hidden behind mixing and jumping into a public intelligence sample.
● The dual puzzle of on-chain and social: As Lick continuously posted transaction snippets, timestamps, counterparties, and asset scales of on-chain addresses were matched one by one by well-meaning individuals and on-chain analysis teams. As more and more on-chain footprints matched his social accounts, the community gradually identified this mysterious "Lick" as the real-world John Daghita, and his equity and management relationship with CMDSS was also uncovered, causing the identities of "hacker" and "government contractor" to ultimately overlap in the same person.
● Online boasting and offline collapse: After his identity was pieced together, public opinion surrounding CMDSS rapidly fermented. The company's official website and social media accounts were quickly taken offline after exposure, and related pages were urgently disabled in an attempt to cut visible ties with the public. This abrupt "disappearance from the internet" instead reinforced external perceptions of its guilt and crisis, plunging from an invisible contractor into the spotlight overnight, becoming a negative example in the global crypto space.
The Black Hole of Outsourced Vaults: Regulatory Blind Spots Exposed
● The event seen as a systemic risk signal: As some media commented, "this exposes the systemic risks of government outsourcing cryptocurrency asset management." The market generally believes that this case has far exceeded the scope of individual crime and single contractor negligence, raising the question: when the government entrusts large-scale on-chain assets to third-party management, has it underestimated the technical threshold and insider risks, betting public trust on an outsourcing model lacking mature regulatory standards?
● Structural gaps in permissions and key management: From the custody structure perspective, how the government delineates private key custody rights, multi-signature thresholds, and daily operational permissions when cooperating with contractors is a key shortcoming exposed by this case. If CMDSS holds signing authority sufficient to independently initiate large transfers in the process, while lacking real-time auditing and multi-party confirmation mechanisms, then the traditional mindset of "trusting contractors" has turned into a high-risk design of "handing the vault keys to a single person" on-chain.
● Difficulty in preventing insider crimes: Unlike typical external attacks, the core of this case lies in insiders utilizing legitimate access permissions to implement on-chain transfers, a risk that has long existed in traditional finance but is further amplified in the crypto context. On one hand, on-chain fund transfers can be completed instantaneously and are irreversible; on the other hand, many governments and traditional institutions' risk controls still rely on "account passwords" and "position approvals," which significantly misalign with native crypto measures such as multi-signature threshold control, computable auditing, and real-time on-chain alerts.
Aftermath of Bitfinex and the Second Blow to Market Trust
● Old case, new wounds: The Bitfinex hacker case had already left a deep shadow on the market, and the subsequent recovered and seized assets were seen as symbolic of "justice returning." Now, these funds being transferred again by an insider during the custody phase amounts to a "second harm" to the victims and broader market sentiment: from hacker to police to contractor, assets cycle among different entities, while the true legal owners remain on the sidelines.
● Government holds power but lacks native capability: The incident also exposes that when the government controls vast on-chain assets but lacks sufficient native crypto security capabilities, the risks of contractors and cooperating agencies can be exponentially magnified. Governments are often adept at judicial processes and traditional compliance but may not be able to design secure private key custody structures or real-time monitoring systems, thus having to outsource critical technical aspects to companies like CMDSS, leading to a mismatch of power and responsibility in an asymmetric technical and supervisory landscape.
● Comparison and improvement directions for the custody industry: In stark contrast to this case, mature crypto custody institutions generally rely on multi-signature structures, permission separation, and third-party audits to reduce the risk of single point failures. For example: splitting key signing authority among multiple independent entities, setting time delays and manual reviews for large transfers, and regularly introducing external security audits and on-chain behavior analysis. If the government's custody structure could align with the industry in these directions, some of the structural vulnerabilities exposed by this case could have been significantly mitigated.
From the Tip of the Iceberg to the Next Incident: The Difficulty of Rebuilding Vault Trust
Whether the involved amount has been fully exposed remains a matter of debate. Some voices point out, "the involved amount may just be the tip of the iceberg," which not only refers to the $90 million in associated funds yet to be clarified but also reminds the market: the real risk is not just a one-time discovered theft, but the hidden structural vulnerabilities in various government and institutional vaults worldwide that have yet to be exposed. Currently, the U.S. government has not provided a public, systematic formal response to this case, and the specific techniques of theft have not been disclosed. In this phase of missing key information, the outside world should maintain continuous attention and cautious interpretation of subsequent disclosures.
Looking ahead, the division of labor and competition among governments, exchanges, and professional custody institutions regarding the custody of large on-chain assets is unavoidable: the government needs to retain ultimate control over seizure and disposal rights but may have to delegate a greater degree of technical execution to professional institutions with native crypto capabilities; exchanges and custodians will seek to gain a voice in contract design, sharing responsibility through multi-signatures, permission layering, and mandatory audit clauses; how regulators introduce "substantive security standards" beyond formal compliance will determine whether the next "vault incident" is preemptively resolved or once again drags the entire industry into a long quagmire of trust rebuilding.
Join our community to discuss and become stronger together!
Official Telegram community: https://t.me/aicoincn
AiCoin Chinese Twitter: https://x.com/AiCoinzh
OKX Welfare Group: https://aicoin.com/link/chat?cid=l61eM4owQ
Binance Welfare Group: https://aicoin.com/link/chat?cid=ynr7d1P6Z
免责声明:本文章仅代表作者个人观点,不代表本平台的立场和观点。本文章仅供信息分享,不构成对任何人的任何投资建议。用户与作者之间的任何争议,与本平台无关。如网页中刊载的文章或图片涉及侵权,请提供相关的权利证明和身份证明发送邮件到support@aicoin.com,本平台相关工作人员将会进行核查。
