ZachXBT alleges that John “Rick” flaunted a wallet tied to the alleged theft of more than $90 million, including seized funds for the U.S. government.
According to research shared by ZachXBT, leaked group chat recordings captured a threat actor named “John” screen-sharing wallet balances and moving millions of dollars in cryptocurrencies.
John, also known as “Rick,” was arrested after he got into a heated argument with another attacker in a chat group and flaunted about $23 million in cryptocurrencies, according to a prominent on-chain investigator.
“A band for a band” was wrong.
The dispute reportedly turned into what cybercriminal circles call “band-for-band,” an attempt to prove who has more money by showing wallet balances and transferring funds in real time. According to ZachXBT, the recordings show John controlling multiple wallets and moving large amounts of cryptocurrency while the transactions are being captured.
After reviewing the footage, investigators said they traced the funds and linked the wallet seen on the recording to the alleged theft of more than $90 million.
ZachXBT said he traced the funds back and one of the wallets on the chain reported receiving 1,066 WETH on November 20, 2025. It further claimed that the funds could be traced back to a wallet that received $24.9 million from a U.S. government address in March 2024. He said it was related to the Bitfinex hacking seizure, He had previously reported theft from the U.S. government in October 2024.
He also said the wallets in the recordings were tied to more than $63 million in flows from alleged victims and government-seized addresses in the fourth quarter of 2025, with several large transfers in November and December 2025. On-chain detectives added that an additional 417,000 ETH worth approximately $12.4 million was received from MEXC and flowed into the same wallet.
USSMS Crypto Asset Contract and Family Ties
ZachXBT said John has an extensive history of bragging about his net worth on Telegram and shared the account identifier associated with those messages. He also pointed to rumors circulating on the Cybercrime Telegram channel, revealing that John could be John Dagitia, who was previously arrested in September 2025, but acknowledged that further investigation is needed to fully confirm the identity.
You may also like:
Additionally, investigators questioned how John gained access in the first place, noting that John’s father owns CMDSS, a company with active government IT contracts in Virginia. ZachXBT said the company was awarded a contract to assist the U.S. Marshals Service in managing and disposing of seized and confiscated crypto assets, but added that it remains unclear how John obtained access through his father.
He said that after ZachXBT published the thread, John immediately changed details on his Telegram profile, including removing his NFT-related username and updating his screen name. ZachXBT also reported that his own public ENS address was later “dusted” from one of the wallets associated with the alleged theft.
Secret partnership bonus for CryptoPotato readers: Use this link to register and unlock $1,500 in exclusive BingX Exchange benefits (for a limited time only).
