A recent leak from a group chat gives us new details about a hacker named John. People in the crypto world know him by the nickname Lick. In the leak, John is shown screen sharing his crypto wallets and moving large amounts of cryptocurrency. An on-chain investigator named ZachXBT shared what he found. On-chain means information saved on the public record of a blockchain, which is like a public ledger that everyone can see. Zachs says the video shows John with several wallets and moving big sums of crypto while the chat was being recorded.
The moment in the video is part of a larger story about how people who break into crypto often talk about money in real time. The term used by some in cybercrime circles for this kind of event is a “band for band.” In simple words, it means people try to prove who has more money by showing wallets and moving money right in front of others. ZachXBT says the recording captures John controlling multiple wallets and sending large amounts of crypto as the other person watches the live screen share.
After watching the footage, ZachXBT traced the movements of the funds. He connected the wallets shown in the chat to more than $90 million in suspected thefts. This means investigators believe those wallets have received money from crimes that involved taking crypto without permission or from other illegal activity. That is a big amount and doctors well for investigators to follow the money trail across many days and transactions.
In one part of the trace, ZachXBT says a wallet in this chain received 1,066 WETH on November 20, 2025. WETH is a special version of Ether that follows the rules of a common tool called ERC-20. The basic idea is that WETH is used to work smoothly with many kinds of DeFi services when normal Ether is not directly compatible. For people who want a short definition, see Wrapped Ether, which explains this idea in simple terms and connects to more detailed information here.
Another important part of ZachXBT’s claim is that this money can be traced back to a wallet that received $24.9 million from a United States government address in March 2024. He says this transfer is connected to a later government action called a seizure of assets that came after a big theft from Bitfinex, a well-known cryptocurrency exchange. The Bitfinex story is a long one in the crypto world, with many security and regulatory events. ZachXBT said he had previously reported this Bitfinex-related seizure in October 2024. For readers who want to learn more about Bitfinex itself, you can visit the Bitfinex page on Wikipedia here.
The investigation also points to a wallet in the same recording that saw more than $63 million flow in from people who were believed to be victims in these cases or from government seizure addresses in the fourth quarter of 2025. ZachXBT notes that large transfers happened in November and December 2025, suggesting a busy period where many funds moved together in this same wallet. In addition, the wallet is said to have received about 4.17 thousand ETH, which is roughly $12.4 million, from a crypto exchange called MEXC. This money then moved into the same wallet in the chain of activity described above.
The story also includes a potential personal link. ZachXBT says John often boasted about his wealth on the Telegram app and shared an account name connected to those messages. There are rumors in cybercrime Telegram channels that John might be John Daghitia, a person who was reportedly arrested in September 2025. ZachXBT says more work is needed to confirm the exact identity, and he cautions that rumors in online groups are not always true.
Beyond identity questions, the investigator asks how John may have gained access in the first place. He notes that John’s father owns a company named CMDSS. CMDSS has a government IT contract in Virginia. The company was hired to help the United States Marshals Service (USMS) manage and dispose of seized and forfeited crypto assets. In other words, the family business has a role in handling crypto assets that the government has taken away in criminal cases. This possible connection raises questions about how John could reach such sensitive information or tools. The USMS is a federal agency in the United States that helps enforce federal laws and handles asset seizures along with other duties. You can learn more about the USMS on its Wikipedia page here.
After ZachXBT posted his thread about these findings, John made changes to his online presence. He updated his Telegram profile, removing NFT-related usernames and changing his screen name. ZachXBT also reported that his own public ENS address was later removed from one of the wallets that were tied to the suspected thefts. ENS stands for Ethereum Name Service. It is a way to turn long crypto addresses into easy-to-remember names, like a contact name, and there is a simple explanation you can read about it at its Wikipedia page here.
What does all of this show? It gives a clear example of how people study and track money that moves on blockchains. A blockchain is a public record of all transactions. When someone moves crypto from one wallet to another, a record is left that investigators can examine. They can sometimes connect different wallets to one person or group, especially when someone in a crime group boasts about wealth or makes obvious moves in real time. The case also illustrates how lots of different pieces fit together: the tools used to manage digital assets, the kind of accounts people use on social media and messaging apps, and the sometimes complicated connections between private companies, government actions, and individuals. It also shows how difficult it can be to confirm a person’s identity in the online world. A person who is careful can blur who they really are, but investigators still try to build a careful, evidence-based story from many different facts. For readers, this means two simple ideas: first, on-chain data can be looked at publicly and can reveal how funds move; second, in complex cases like this, different people and institutions might be involved, and it can take time to untangle all the pieces.
Definitions. The following short explanations use simple language and point to Wikipedia pages if you want to read more.
- Ethereum — Ethereum is a decentralized blockchain with smart contract functionality. Ether (ETH) is its native cryptocurrency and the platform enables decentralized applications and DeFi; it transitioned from proof-of-work to proof-of-stake in 2022 (The Merge). https://en.wikipedia.org/wiki/Ethereum
- Wrapped Ether — Wrapped Ether (WETH) is an ERC-20 compatible representation of Ether on the Ethereum blockchain, enabling Ether to be exchanged with other ERC-20 tokens in DeFi protocols. https://en.wikipedia.org/wiki/Wrapped_Ether
- Ethereum Name Service — Ethereum Name Service (ENS) is a distributed, open naming system on Ethereum that maps human-readable names to Ethereum addresses and other resources. https://en.wikipedia.org/wiki/Ethereum_Name_Service
- United States Marshals Service — The United States Marshals Service (USMS) is a federal law enforcement agency within the U.S. Department of Justice that serves as the enforcement arm of the federal judiciary and handles fugitive operations, asset seizures, and protection of federal courts. https://en.wikipedia.org/wiki/United_States_Marshals_Service
- Bitfinex — Bitfinex is a cryptocurrency exchange founded in 2012, known for high-volume trading and a history of security breaches and regulatory actions; it is operated by iFinex Inc. https://en.wikipedia.org/wiki/Bitfinex
Note: This article summarizes claims made by ZachXBT and other researchers. The information may change as investigators learn more. Readers should understand that blockchain tracing is a complex field, and some connections between wallets or events may be disputed or require more evidence to confirm.