Renowned on-chain researcher ZachXBT has identified a hacker known as John (Lick), who is reportedly involved in the large-scale theft of over $90 million from US government cryptocurrency wallets. A significant portion of these funds was transferred to the hacker’s accounts in 2024, and a number of suspicious transactions were recorded in November-December 2025.
This is reported by Finway
Details of the Investigation and the Hacker’s Operations
During a dispute with another cybercriminal, Dritan Kapplani Jr., John demonstrated access to several cryptocurrency wallets. In the so-called “wallet battle,” he showcased a TRON address with a balance of $2.3 million, as well as an Ethereum wallet to which an additional $6.7 million was soon transferred. The total amount of assets in these wallets was approximately $23 million.
It is known that one of the wallets received $24.9 million from an address belonging to the US government, which had previously been involved in the Bitfinex case. The hacker himself confirmed control over these addresses during the balance demonstration.
“On-chain researcher ZachXBT stated that he established a connection between hacker John (Lick) and several addresses linked to the theft of funds from US government wallets. According to the expert, this involves over $90 million that was transferred to these addresses in 2024, as well as a number of transfers in November-December 2025.”
Hacker’s Reaction and Possible Connection to Government Entities
According to the researcher’s observations, John actively boasted about his wealth, belittled other users in chats, and displayed screenshots of his wallet balances. Following the publication of the investigation, he quickly deleted NFT names from his Telegram profile and changed his nickname.
Moreover, after the publication, John sent a “dusting” transaction to ZachXBT’s address, likely attempting to demonstrate his presence. Rumors are circulating in the hacker community that John may be John Dagitia, who was arrested in September 2025; however, this information has not been confirmed at this time.
The researcher also reported that the father of the alleged hacker owns a company called CMDSS, which currently has an active government contract in Virginia. Specifically, CMDSS is responsible for supporting the US Marshals Service in overseeing and managing confiscated crypto assets. It remains unclear whether the hacker could have leveraged his father’s connections to gain access to government funds.
It is worth noting that, according to Chainalysis estimates, cryptocurrency scammers caused record losses of $17 billion in 2025 alone.
