TL;DR
- An alleged $40M theft from US seizure wallets exposes critical vulnerabilities in government crypto custody.
- The breach is linked to a contractor, highlighting risks in fragmented, multi-agency management.
- The incident undermines the credibility of the US plan to build a “digital Fort Knox” Bitcoin reserve.
The US government has been attempting to execute a historic pivot with its Bitcoin holdings for nearly a year, shifting from a messy, case-by-case inventory of seized crypto into a strategic national reserve.Ā
The ambition, often framed as a “digital Fort Knox,” now faces a credibility test after allegations that approximately $40 million in cryptocurrency was siphoned from government-linked seizure wallets.
Even if the reported loss appears small relative to the roughly $28 billion in Bitcoin the US is widely believed to control, the episode cuts at the core premise of the new posture. It raises serious doubts about whether Washington can manage a sovereign-scale Bitcoin balance sheet with reserve-grade security and auditable controls.
Over the weekend, blockchain investigator ZachXBT alleged that more than $40 million in crypto was stolen from US government-linked seizure wallets. ZachXBT linked the alleged theft to John Daghita, popularly known as Licks, who he said maintains family ties to the executive leadership of Command Services & Support (CMDSS), a private firm contracted to support US Marshals Service (USMS) crypto seizure operations.
Corporate filings indicate that Dean Daghita serves as president of CMDSS. The firm is based in Haymarket, Virginia, and is contracted by the USMS to manage and dispose of specific categories of seized cryptocurrency.
Insider Breach Exposes Vulnerability in Government Custody
ZachXBT indicated he was able to connect John Daghita to the alleged theft after what he described as a “band-for-band” argument on Telegram, a dispute in which two individuals attempted to prove their wealth by comparing wallet balances. The dispute allegedly culminated in a persona identified as “Lick” screen-sharing an Exodus wallet and moving large sums in real time.
The screen-shared activity provided a trail ZachXBT said he used to trace a cluster of addresses linked to more than $90 million in suspected illicit flows. Of the sum, approximately $24.9 million moved from a US-controlled wallet in March 2024.
The scenario spotlights a vulnerability that has less to do with sophisticated protocol exploits and more with custody governance, contractor access, and human failure modes that tend to scale poorly when real money and real operational complexity collide.
Meanwhile, this is not the first time federal crypto custody operations have faced scrutiny. In October 2024, a wallet linked to the Bitfinex hack proceeds was drained of approximately $20 million, though the funds were largely recovered.
The operational reality for these assets is far more fragmented
Custody arrangements for seized crypto are a patchwork of agencies, legal statuses, and storage solutions. Funds can sit at different points in the forfeiture pipeline, and “US holdings” is not a single ledger entry but rather a complex operational system.
The variance matters because security in a multi-agency mesh depends on process discipline, consistent standards, and rapid migration of funds from temporary seizure wallets into long-term cold storage. A single custodian can be defended with fortress-like protocols, but a system involving multiple vendors and handoffs behaves differently.
The system depends on the consistency of controls across every node in the network, including the people and contractors who touch the process. The ambiguity around which agency holds which keys and when expands the attack surface. Oversight can slip in the gaps between organizations, between temporary wallets and long-term storage, and between policy ambition and day-to-day operational reality.
In the context, the significance of the reported $40 million loss becomes bigger as it implies a process failure. The custody failure suggests unknown exposure elsewhere, especially if the weakness is rooted in vendor governance or insider access rather than a one-off technical exploit.
Contractors like CMDSS are central to understanding the risk profile because they sit where the government’s custody system becomes most complicated. A Government Accountability Office (GAO) decision from March 2025 confirmed that the USMS awarded CMDSS a contract to manage “Class 2-4 cryptocurrencies.”
The GAO document draws a distinction between asset classes that helps explain why contractors matter. Class 1 assets are generally liquid and can be readily supported by standard cold storage. Class 2-4 assets, by contrast, are described as “less popular” and require specialized handling, often involving bespoke software or hardware wallets.
The long tail of crypto custody includes the long list of assets that are not simply Bitcoin and a handful of other liquid tokens, but the messy inventory that arrives through seizures. Managing the assets can require navigating different blockchains, unfamiliar signing flows, and complex liquidation requirements.
In practical terms, it creates a reliance on external expertise to manage the most challenging aspects of custody. Under the model, the government effectively outsources the messiest corner of crypto operations.
The GAO notes that contractors are strictly prohibited from using government assets for staking, borrowing, or investing. But contractual prohibitions are not physical controls. They cannot, on their own, prevent misuse of a private key if human controls are bypassed.
That is why the allegations, framed as contractor ecosystem risk and social engineering rather than protocol failure, carry weight beyond the specific theft claim. If the system’s resilience depends on discipline across every vendor and handoff, then the weakest node becomes the most attractive target.
Warnings about custody gaps are not new. A 2025 report highlighted that the USMS could not provide even a rough estimate of its BTC holdings and had previously relied on spreadsheets lacking adequate inventory controls. A 2022 Department of Justice Office of Inspector General audit explicitly warned that gaps like these could result in the loss of assets.
The stakes of these operational gaps have risen because US policy is shifting. The White House has moved to establish a Strategic Bitcoin Reserve and a separate Digital Asset Stockpile, with directives for the Treasury to administer custodial accounts where Bitcoin “shall not be sold.”
The policy change shifts the government’s role from a temporary custodian, historically associated with auctions and evidence disposal, to a long-term holder. However, the strategic reserve framing shifts the lens, as the central question becomes custody credibility.
If Bitcoin is to be treated as a reserve asset analogous to gold, the standard investors will implicitly demand is vault-grade security, clear custodianship, consistent controls, and auditable procedures.
The alleged $40 million theft draws attention back to whether the infrastructure supporting this ambition still resembles an ad hoc evidence workflow or is being scaled for long-term stewardship. A large, well-known government Bitcoin hoard could become a prime target for malicious actors seeking to exploit a porous system.
