editorially independent. We may make money when you click on links
to our partners.
Learn More
A suspect accused of stealing more than $46 million in cryptocurrency linked to assets managed by the U.S. Marshals Service (USMS) has been arrested in an international law enforcement operation.
The suspect, identified as John Daghita, was apprehended Wednesday on the Caribbean island of Saint Martin.
“Last night, John Daghita – a U.S. government contractor who allegedly stole more than $46 million in cryptocurrency from the U.S. Marshals Service – was arrested on the island of Saint Martin by the French Gendarmerie’s premier elite tactical unit in a joint operation with the FBI,” FBI Director Kash Patel said, according to BleepingComputer.
Blockchain Analysis Links Suspect to Government Wallets
According to blockchain investigators, the cryptocurrency appears to be linked to assets previously seized in federal investigations and held by the U.S. Marshals Service (USMS).
The U.S. Marshals Service manages and disposes of assets seized in criminal cases, including cryptocurrencies tied to cybercrime, fraud, and ransomware operations.
As part of these responsibilities, the agency increasingly oversees large quantities of seized digital assets that must be securely stored and eventually liquidated.
In this case, digital asset management reportedly involved support from Command Services & Support (CMDSS), a Virginia-based contractor assisting the U.S. Marshals Service with seized cryptocurrency since October 2024.
Blockchain Investigator Traces Suspicious Transactions
The case first gained public attention in January 2026, when independent blockchain investigator ZachXBT published a detailed analysis of suspicious cryptocurrency transactions linked to wallets associated with government-controlled assets.
Using blockchain forensics, the investigator reportedly traced about $23 million from wallets linked to U.S. Marshals Service holdings to addresses believed to be controlled by John Daghita.
Blockchain forensics allows investigators to analyze transactions recorded on public ledgers and follow the movement of funds across wallet addresses.
Even when individuals use multiple wallets or complex transactions to obscure ownership, analysts can often identify patterns linking addresses to suspicious activity.
Telegram Exchange Raises Further Suspicion
Additional evidence also emerged during an online dispute between Daghita and another actor in a private Telegram chat.
During the exchange, Daghita allegedly demonstrated the ability to move large amounts of cryptocurrency between wallets in real time.
That demonstration raised further suspicions that he had direct access to digital assets associated with government-controlled cryptocurrency wallets.
Tracing Funds Back to the 2016 Bitfinex Hack
Subsequent blockchain tracing reportedly linked the wallets involved in those transactions to cryptocurrency originally seized from the 2016 Bitfinex hack, one of the largest cryptocurrency thefts in history.
During that incident, attackers stole roughly 120,000 bitcoin from the Hong Kong-based cryptocurrency exchange Bitfinex.
Portions of those funds were later recovered by law enforcement and held as seized assets as part of ongoing investigations.
After the investigator reported his findings to authorities, Daghita allegedly responded by sending small amounts of cryptocurrency to ZachXBT’s publicly known wallet address via Telegram-linked activity.
This tactic — referred to as a “dust attack” — involves transferring tiny amounts of cryptocurrency to another wallet, often as a way to provoke a response, track activity, or publicly signal control over funds.
These events drew broader attention to the case and prompted law enforcement to expand the investigation into the alleged theft of government-managed cryptocurrency.
How to Secure Crypto Assets
Organizations managing government or enterprise cryptocurrency holdings should implement strong security controls to prevent theft, misuse, or unauthorized transfers.
Effective protection requires layered safeguards, including access controls and continuous monitoring of wallet activity.
- Enforce strict privileged access management with role-based access controls, MFA, and regular access reviews to limit who can manage wallets, private keys, or digital asset systems.
- Use hardware security modules, secure custody platforms, and cold storage to protect private keys and prevent unauthorized access.
- Implement multi-signature wallets and transaction approval workflows that require multiple authorized parties before funds can be transferred.
- Monitor cryptocurrency wallets and transactions continuously using blockchain analytics and anomaly detection tools to identify suspicious transfers or connections to illicit addresses.
- Maintain detailed, tamper-resistant logging and immutable audit trails for wallet activity, administrative access, and transaction approvals.
- Apply segregation of duties and strong governance policies to separate responsibilities for key management, transaction approval, auditing, and operational oversight.
- Regularly test incident response plans and build playbooks around insider threat and crypto theft scenarios.
Collectively, these measures help reduce the potential blast radius of unauthorized transactions while strengthening resilience in systems that manage high-value digital assets.
Challenges of Managing Seized Cryptocurrency Assets
The arrest highlights ongoing challenges for governments and organizations as cryptocurrency becomes more common in cybercrime investigations.
Law enforcement agencies are increasingly responsible for managing large amounts of seized digital assets.
Unlike traditional financial holdings, cryptocurrencies require specialized security controls such as secure key management, blockchain monitoring, and hardened wallet infrastructure.
These challenges are leading organizations to adopt zero trust solutions that help enforce strict identity verification and continuous access controls.
