The arrest of US government contractor John Daghita, known online as Lick, on suspicion of stealing more than $46 million in cryptocurrency from wallets controlled by the US Marshals Service (USMS) has become a textbook example of how dangerous an insider threat can be in digital asset operations. The arrest operation was conducted jointly by the FBI and the French Gendarmerie’s elite GIGN unit.
How a US Marshals Service Contractor Became a Suspect
According to law enforcement statements, Daghita was detained this week. During searches, investigators reportedly seized large amounts of $100 bills, multiple hard drives, and several hardware wallets that may have been used to store and move stolen cryptoassets.
Daghita is the son of Dean Daghita, president and CEO of Command Services & Support (CMDSS), a Virginia-based company. Since October 2024, CMDSS had been under contract with the US Marshals Service to provide custody and management of confiscated digital assets. This portfolio reportedly included part of the cryptocurrency seized in connection with the infamous 2016 Bitfinex exchange hack, in which nearly 120,000 BTC were stolen—one of the largest incidents in crypto history.
Contractors in this role often gain access to storage infrastructure, including private keys or systems that manage those keys. If access rights, segregation of duties, and independent oversight are not rigorously enforced, a privileged insider can quietly redirect funds without immediate detection.
Blockchain Analytics Uncovers the Alleged Theft Scheme
The alleged link between Daghita and the missing funds was first documented publicly by well-known blockchain investigator ZachXBT. In late January, he published a detailed on‑chain analysis tracing about $23 million in cryptocurrency transfers from wallets associated with the US Marshals Service to addresses he concluded were controlled by Daghita.
Public blockchains log every transaction in a permanent distributed ledger. With sufficient expertise, investigators can correlate wallet addresses, timestamps, transaction patterns, and behavioral fingerprints to link seemingly anonymous activity to real individuals or organizations.
According to ZachXBT, Daghita effectively de‑anonymized himself during a dispute in a private Telegram chat with another threat actor known as Dritan Kapplani Jr.. Chat logs, which later became part of the analysis, show Daghita demonstrating in real time that he could move large sums between two wallets. Subsequent blockchain analysis linked those wallets to state‑controlled confiscated assets, including funds associated with the Bitfinex case.
Dust Attacks as a Tool of Harassment and Tracking
After ZachXBT shared his findings with authorities, Daghita allegedly tried to provoke and intimidate him via Telegram and a series of dust attacks on his public wallet. In a dust attack, an adversary sends very small amounts of cryptocurrency (“dust”) to a target address. These tiny transfers can be used to:
• Track future movements of the dust to map wallet relationships and attempt de‑anonymization, or
• Apply psychological pressure by signaling, “I know your addresses and I am using stolen funds.”
As ZachXBT later summarized: Daghita allegedly stole over $46 million in confiscated crypto by abusing access through CMDSS, then repeatedly taunted the investigator and dusted his public wallet using the same funds.
Insider Threat in Cryptocurrency and Digital Asset Management
The Daghita case illustrates a classic insider threat scenario: the attacker is already “inside the perimeter” with legitimate access to sensitive systems and cryptographic keys. According to the Verizon Data Breach Investigations Report, insiders—employees and contractors misusing or abusing privileges—consistently account for a significant portion of security incidents, often around one‑fifth of breaches in recent years.
In government agencies and large financial institutions, the risk is amplified. They manage high‑value digital assets across multiple departments and external service providers. Any weakness in access control, transaction monitoring, or audit processes can enable a trusted insider to siphon off tens of millions of dollars before anomalies are noticed.
Key Cybersecurity Lessons for Organizations Holding Cryptoassets
For public and private organizations that manage cryptocurrency or other digital assets—especially confiscated or custodial funds—this incident provides several practical lessons:
1. Enforce least privilege and segregation of duties. Access to private keys, key‑management consoles, and transfer interfaces must follow the principle of least privilege. No single individual should be able to initiate and approve large transfers alone. Implement “four‑eyes” or even “six‑eyes” approval workflows for high‑value movements.
2. Use multi‑party key management. Technical controls such as multi‑signature (multi‑sig) wallets, hardware security modules (HSMs), and distributed key management significantly reduce the chance that one compromised insider can unilaterally move funds. Keys should be split across roles, devices, and locations.
3. Implement continuous on‑chain monitoring and independent audits. Automated blockchain analytics can flag unusual transaction sizes, new destination patterns, or activity outside approved schedules in near real time. Regular external audits of addresses and flows linked to confiscated assets help detect discrepancies before losses become catastrophic.
4. Apply strict security governance to contractors. Third‑party providers such as CMDSS must undergo rigorous technical and organizational due diligence: background checks for key staff, robust security policies, logging and monitoring controls, and clear incident investigation procedures. Contract clauses should mandate security standards and audit rights.
5. Prepare documented incident response playbooks. Organizations need predefined procedures to rapidly label suspect wallet addresses, notify major exchanges and stablecoin issuers, collaborate with law enforcement, and engage blockchain analytics firms. Speed is crucial to freezing or tracing stolen funds before they are fully laundered.
The alleged $46 million theft linked to a US Marshals contractor underscores that even agencies with formally strong security frameworks remain exposed to well‑placed insiders. Any organization holding cryptocurrency—whether a government body, exchange, bank, or custodian—should treat this case as a prompt to review access management, key‑storage architecture, and on‑chain monitoring strategies. Strengthening these controls now reduces the likelihood that the next major crypto theft will come not from an external hacker, but from someone already trusted with the keys.
