Cybercriminal Flaunts $23M Tied to U.S. Government Theft

 Threat actor John Lick, having boasted of having 23 million dollars in wallets on record, lost his cover. The uncovered addresses are associated with more than $90 million in suspected stolen funds belonging to U.S. government accounts and other victims, as caught in a live confrontation.

A cryptocurrency threat actor’s ego may have sealed his fate. John “Lick” publicly displayed $23 million in digital assets. The funds trace directly to suspected government thefts exceeding $90 million.

According to blockchain investigator ZachXBT on X, the exposure occurred during an online confrontation. John engaged in a heated dispute with another threat actor, Dritan Kapplani Jr. The argument centered on who possessed more cryptocurrency wealth.

Source: zachxbt 

The Band for Band Challenge Gone Wrong

ZachXBT detailed the incident in a thread on X. The confrontation happened in a group chat. Both parties agreed to prove their wealth through wallet screenshots.

The exchange was fully recorded. John screenshared his Exodus Wallet during the dispute. The wallet displayed a Tron address holding $2.3 million initially.

As tensions escalated, John moved additional funds. He transferred $6.7 million worth of ETH into another wallet. The total eventually reached approximately $23 million across connected addresses.

ZachXBT confirmed John controlled multiple wallet addresses. The recordings captured clear proof of ownership. John specifically confirmed controlling address 0x8924 during the exchange.

Tracing Stolen Government Funds

The flow of money was retraced by the blockchain investigator. In November 2025, address 0xc7a2 deposited 1,066 WETH in a single wallet. The same address had previously been funded by a U.S. Government address in March 2024 at 24.9 million.

On X, ZachXBT wrote that the funding was the Bitfinex hack. He initially stated about this theft in October 2024. Even today, $18.5million remains on the linked address.

The main wallet is associated with over $63million in suspicious inflows. These transfers were made in Q42025, and they are based on the addresses of suspected victims. Several big transactions were transferred over the connected network.

Two addresses sent out 13.5m and 15.4m, respectively, in December 2025 alone. In November, there were further transfers of up to 4 million dollars through different sources.

Footprints and Fingerprints.

ZachXBT pointed out that John has a history with Telegram. The malicious individual often promoted his wealth on the internet. His Telegram ID is 8269661864.

On X, ZachXBT posted that John got another 4.17K worth 12.4 million dollars of Eth at the MEXC exchange. The money was immediately added to the open wallet address.

Telegram channels spread rumours about who John is. According to sources, he might be John Daghitia. In September of 2025, authorities arrested a person by that name.

ZachXBT admitted that it should be confirmed by further research. The researcher stressed that the digital evidence is distinct.

You might also like: Nasdaq Files Request With SEC to Lift Options Limits on Crypto ETFs

Immediate Aftermath and Cover-Up Attempts

John reacted swiftly after ZachXBT’s thread went public. He removed all NFT usernames from his Telegram account. His screenname changed immediately following the exposure.

As ZachXBT updated on X, John sent dust transactions to his public address. The transaction originated from one of the theft addresses. This appeared as an attempt at retaliation or distraction.

ZachXBT concluded that threat actors continue making critical mistakes. They publicly display stolen funds despite obvious risks. John was “ragebaited” into proving ownership of compromised wallets.

The recordings provide clear evidence for law enforcement. The proof of ownership makes future prosecution significantly easier. The case demonstrates how ego undermines operational security in cybercrime.