Full Report
FBI and French GIGN swoop on Saint Martin, John Daghita in cuffs The son of a government contractor was arrested in the Caribbean after allegedly stealing more than $46 million in seized cryptocurrency from the US Marshals Service, the FBI says.…
Analysis Summary
# Incident Report: Alleged $46M Seized Asset Theft by Government Contractor Affiliate
## Executive Summary
John Daghita (alias "Lick"), the son of a US government IT contractor, was arrested in Saint Martin following the alleged theft of over $46 million in seized cryptocurrency from the US Marshals Service (USMS). The incident involved the exploitation of mission-critical access held by Command Services & Support (CMDSS), a firm managing seized assets for the Department of Justice. The compromise was publicly exposed by a blockchain investigator after the suspect engaged in a public dispute over his wealth, leading to a joint FBI and French GIGN law enforcement operation.
## Incident Details
- **Discovery Date:** January 2026 (Public investigation by ZachXBT)
- **Incident Date:** October 2024 (Primary theft) – March 2026 (Arrest)
- **Affected Organization:** US Marshals Service (USMS)
- **Sector:** Government / Law Enforcement
- **Geography:** USA (Source); Saint Martin (Arrest location)
## Timeline of Events
### Initial Access
- **Date/Time:** Circa October 2024
- **Vector:** Exploitation of privileged access via a government contractor (CMDSS).
- **Details:** The suspect allegedly leveraged his relationship with Command Services & Support, which held a $4M mission-critical contract to manage seized assets for the USMS.
### Lateral Movement
- **Movement:** Unauthorized access to US government crypto-asset management systems or wallets associated with the Bitfinex 2016 seizure and other law enforcement actions.
### Data Exfiltration/Impact
- **Loss:** Over $46 million in cryptocurrency tokens were transferred from government-controlled wallets to private wallets controlled by the suspect.
### Detection & Response
- **January 2026:** Independent investigator ZachXBT published a probe linking Daghita to the stolen funds after Daghita bragged about his holdings in a public online spat.
- **January 2026:** USMS and the President’s Council of Advisors for Digital Assets announced formal investigations.
- **March 4, 2026:** FBI and French GIGN conducted a joint tactical operation in Saint Martin.
- **March 4, 2026:** John Daghita taken into custody; CMDSS web presence scrubbed.
## Attack Methodology
- **Initial Access:** Trusted Insider / Relationship-based access via a family-run government contracting firm.
- **Persistence:** Utilization of legitimate mission-critical IT infrastructure managed by CMDSS.
- **Privilege Escalation:** Exploitation of administrative rights intended for asset management.
- **Defense Evasion:** Use of multiple wallet addresses; scrubbed online presence (post-discovery).
- **Credential Access:** Likely misappropriation of administrative credentials or private keys managed by the contractor.
- **Discovery:** Identifying high-value government wallets containing seized Bitfinex and other criminal proceeds.
- **Lateral Movement:** Transfer of assets from government storage to personal infrastructure.
- **Exfiltration:** Blockchain transfers to private attacker-controlled wallets.
- **Impact:** Theft of $46M in federal assets.
## Impact Assessment
- **Financial:** Loss of $46,000,000+ in seized cryptocurrency.
- **Data Breach:** Compromised integrity of the USMS asset management system.
- **Operational:** Disruption of CMDSS operations and potential termination of mission-critical DOJ contracts.
- **Reputational:** Significant embarrassment for the DOJ/USMS regarding the oversight of third-party contractors and the security of seized digital assets.
## Indicators of Compromise
- **Network indicators:** hxxps[://]cmdss[.]com (Deactivated/Private)
- **File indicators:** Blockchain transaction logs linked to "Lick" alias wallets.
- **Behavioral indicators:** Unusual late-night transfers from government-controlled seizure wallets; public displays of unexplained wealth by contractor-affiliated individuals.
## Response Actions
- **Containment:** Removal of CMDSS’s access to government systems; deactivation of the company’s digital footprint.
- **Eradication:** Law enforcement seizure of the suspect's devices and potential recovery of remaining crypto assets.
- **Recovery:** FBI and GIGN joint operation to apprehend the suspect; ongoing forensic audit of USMS wallets.
## Lessons Learned
- **Third-Party Risk:** The incident highlights a critical failure in the vetting and monitoring of family members of contractors with access to high-value digital assets.
- **OPSEC Failures:** The suspect's public "wealth spat" served as the primary catalyst for detection, illustrating that insider threats often reveal themselves through behavioral changes or public vanity.
- **Need for Multi-Sig:** High-value government assets should require multi-signature authorization involving multiple independent agencies to prevent a single point of failure (the contractor).
## Recommendations
- **Strict Access Control:** Implement "Least Privilege" and "Zero Trust" architectures for all third-party contractors.
- **Multi-Party Authorization:** Mandate that no single individual or contractor can authorize the transfer of seized assets without secondary government verification.
- **Enhanced Vetting:** Extend background checks and financial monitoring to immediate family members of contractors handling liquid assets like cryptocurrency.
- **Continuous Monitoring:** Implement automated alerts for any movement within "cold" or "dormant" seizure wallets.