ZachXBT Exposes $90M Crypto Theft Trail in Hacker’s Wallet Flex

The incident began in a private Telegram group, where a dispute between threat actors escalated into what is known in cybercrime circles as a “band for band.” This is a contest where individuals attempt to prove who has more money by displaying wallet balances and moving funds in real-time. According to ZachXBT’s findings, a user named “John” was captured in a leaked screenshare showing off approximately $23 million in cryptocurrency during such an argument.

ZachXBT, a prominent figure in cryptocurrency forensics, analyzed the recording. He identified the wallets John controlled and traced the movement of the large sums of crypto shown. This initial flex of digital wealth proved to be a critical mistake. By following the on-chain activity from those displayed wallets, ZachXBT was able to link them to a much larger web of transactions, ultimately connecting them to over $90 million in suspected thefts.

The investigator’s backward trace of the funds revealed a deeply concerning pipeline. ZachXBT reported that one wallet in the chain received 1,066 WETH (Wrapped Ethereum) on November 20, 2025. Further analysis suggested these funds could be traced back to a wallet that had received $24.9 million from a U.S. government address in March 2024. ZachXBT linked this government address to the seized assets from the 2016 Bitfinex hack, a theft from the U.S. government he had previously reported on in October 2024.

The connections grew stronger as the investigation continued. ZachXBT stated that the wallet shown in John’s recording was tied to over $63 million in inflows from suspected victims and government seizure addresses in the fourth quarter of 2025 alone, listing several large incoming transfers in November and December. Furthermore, another 4,170 ETH (Ethereum), worth approximately $12.4 million, was received from the cryptocurrency exchange MEXC and flowed into the same wallet, broadening the scope of the suspected illicit activity.

Perhaps the most startling dimension of the investigation involves the suspect’s potential identity and connections. ZachXBT pointed to rumors in cybercrime Telegram channels suggesting “John” could be John Daghitia, who was arrested in September 2025, though he noted more research was needed for full confirmation. The investigator also revealed that John had an extensive history of boasting about his net worth on Telegram.

More critically, ZachXBT raised questions about how John may have initially gained access to such significant funds. He reported that John’s father owns a company named CMDSS, which holds an active government IT contract in Virginia. This firm was awarded a contract to assist the U.S. Marshals Service (USMS) in managing and disposing of seized and forfeited cryptocurrency assets. While ZachXBT clarified it remains unclear how John may have obtained access through his father, the familial link to a company entrusted with safeguarding seized crypto immediately prompted scrutiny and concerns over potential insider threats or security failures.

The publication of ZachXBT’s detailed thread triggered an immediate reaction. The investigator reported that “John” swiftly changed details on his Telegram profile, removing NFT-related usernames and updating his screen name in an apparent attempt to obscure his digital footprint. In a retaliatory or signaling move, ZachXBT also noted that his own public Ethereum Name Service (ENS) address was later “dusted”—sent a negligible amount of cryptocurrency—from one of the wallets linked to the suspected thefts.

This case underscores the powerful role of public blockchain analysis in combating cryptocurrency crime. A criminal’s boast, immortalized on a recording, provided the essential starting point to unravel a complex financial trail. The alleged connection to funds from a major historical hack like Bitfinex’s, now under government control, and the involvement of a family-linked federal contractor, transforms this from a story of cybercrime bravado into a serious matter of institutional security and asset protection. It places the protocols of the U.S. Marshals Service and its contractors under a harsh, necessary spotlight.