A Wallet Flex Turned Into an On-Chain Trail: ZachXBT Links ‘Lick’ to US Seizure-Related Funds

A leaked group chat recording captured a threat actor named “John” screensharing wallet balances and moving millions in crypto, according to findings shared by ZachXBT.

The prominent on-chain investigator said John, also known as “Lick,” was caught showing off approximately $23 million in crypto during a heated argument with another threat actor in a chat group.

“Band for Band” Gone Wrong

The dispute reportedly turned into what cybercrime circles call a “band for band,” where people try to prove who has more money by showing wallet balances and moving funds in real time. ZachXBT said the recording shows John controlling multiple wallets and moving large amounts of crypto while the interaction was being captured.

After reviewing the footage, the investigator said he traced the funds and linked the wallets shown in the recording to more than $90 million in suspected thefts.

ZachXBT said he then traced the funds backward and reported that one of the wallets in the chain received 1,066 WETH on November 20, 2025. He further claimed the funds could be traced back to a wallet that received $24.9 million from a US government address in March 2024, which he said was connected to the Bitfinex hack seizure, a theft from the US government that he had previously reported in October 2024.

He also said the wallet shown in the recording was tied to over $63 million in inflows from suspected victims and government seizure addresses in Q4 2025, listing several large incoming transfers in November and December 2025. The on-chain sleuth added that another 4.17K ETH worth about $12.4 million was received from MEXC and flowed into the same wallet.

USMS Crypto Asset Contract and a Family Tie

ZachXBT said that John had an extensive history of boasting about his net worth on Telegram and shared the account identifier tied to those messages. He also pointed to rumors circulating in cybercrime Telegram channels, which revealed John could be John Daghitia, who was previously arrested in September 2025, but acknowledged that more research would be needed to fully confirm the identity.

Additionally, the investigator raised questions about how John may have gained access in the first place, while stating that John’s father owns CMDSS, a company with an active government IT contract in Virginia. ZachXBT said the firm was awarded a contract to assist the US Marshals Service in managing and disposing of seized and forfeited crypto assets, but added that it remains unclear how John may have obtained access through his father.

After ZachXBT published the thread, he said John quickly changed details on his Telegram profile, including removing NFT-related usernames and updating his screen name. ZachXBT also reported that his own public ENS address was later “dusted” from one of the wallets linked to the suspected thefts.

The post A Wallet Flex Turned Into an On-Chain Trail: ZachXBT Links ‘Lick’ to US Seizure-Related Funds appeared first on CryptoPotato.