These holdings grew through criminal forfeiture, civil enforcement actions, and the formal creation of a Strategic Bitcoin Reserve in 2025. Executive Order 14233, published in the Federal Register, directs that specified forfeited bitcoin be held as a reserve asset rather than routinely liquidated.
The order assigns a central role to the Department of the Treasury while leaving the Department of Justice responsible for seizures and transfers in the near term.
Within this framework, the U.S. Marshals Service serves as the primary custodian for most Department of Justice seized cryptocurrency. The Marshals Service manages assets on behalf of the Asset Forfeiture Program, using the Consolidated Asset Tracking System to record seizures across asset classes.
For several years, however, the system did not contain the fields or workflows needed to handle digital assets, and the agency improvised instead of deploying purpose-built tools.
Executive Summary
- Federal agencies collectively hold about $22 billion in seized cryptocurrency, with Bitcoin as the largest component and the US Marshals Service acting as a central custodian.
- A 2022 DOJ inspector-general audit documented systemic gaps, including reliance on undocumented spreadsheets without edit histories and incomplete policies for forks and privacy coins.
- Procurement missteps and weak segregation of duties preceded an alleged $46 million insider theft at contractor CMDSS, detected externally rather than by government monitoring.
- Single-key control and opaque off-chain policy engines do not meet institutional standards for identity-linked permissions, multi-party approvals, and immutable audit trails.
- Longer-term retention under the Strategic Bitcoin Reserve heightens the need for identity-based access control, robust multisignature structures, and enforceable delegation boundaries.
A 2022 Audit Exposed Spreadsheet-Era Controls
In 2022, the Department of Justice Office of the Inspector General issued Audit Report 22-082 on the Marshals Service’s management of seized cryptocurrency. The audit found that as of June 2021 the Marshals Service oversaw nearly 200 cryptocurrency seizures worth about $466 million.
Its official tracking system, however, lacked key functions, including fields for cryptocurrency type, quantity changes, and transaction fees. To work around these gaps, staff maintained separate Excel spreadsheets as inventory tools.
According to the inspector-general report, these spreadsheets were not governed by documented policies or procedures, did not track edit history, and could be altered or deleted without a record. Auditors warned that without periodic reconciliations between spreadsheets and the Consolidated Asset Tracking System, mismanagement and undetected manipulation were possible.
The audit identified 28 seized cryptocurrency assets that appeared in spreadsheets but not in the official tracking system, underscoring the risks of parallel records. It also noted rounding practices that could result in unreconciled differences, with bitcoin amounts sometimes truncated rather than carried to full precision.
These small but cumulative valuation discrepancies created inconsistencies across the portfolio.
Beyond spreadsheets, the inspector-general highlighted missing policies for core operational questions. The Marshals Service did not have formal processes for recording or disposing of forked assets created when a blockchain splits.
This gap raised the possibility that the government could fail to identify and sell assets it was legally entitled to liquidate. The audit also found no established procedures for identifying or managing so-called anonymity-enhanced cryptocurrencies, despite the agency holding such assets under forfeiture orders.
Collectively, these findings framed a system in which large amounts of digital assets were tracked in ad hoc tools and governed by incomplete rules. The inspector-general concluded that the Marshals Service faced an elevated risk of inaccurate accounting and potential loss of cryptocurrency without stronger controls, reconciliations, and documented procedures.
More Technology Articles
Lost Ethereum Wallets and Contracting Strains
Operational weaknesses continued after the 2022 audit period. In reporting by CoinDesk on the Marshals Service’s digital asset operations, a source familiar with the program described an incident in which the agency lost access to two Ethereum wallets following a software update.
A statement attributed to the Marshals Service indicated uncertainty over whether private keys were incorrect or whether the wallet software had failed, and no public follow-up has resolved the cause.
The same CoinDesk article noted internal concerns about staffing and process concentration. A source characterized a situation in which one employee handled significant asset disposal activity for the program, including use of an account described as a retail-level venue, despite the aggregate value of seized assets reaching into the billions of dollars.
That picture aligned with the inspector-general’s earlier warning that the agency lacked an adequate foundation for defining performance requirements in future custody contracts.
Procurement records confirm that the Marshals Service made repeated attempts to secure outside support. A 2025 decision by the Government Accountability Office in the Wave Digital Assets protest describes a solicitation for an indefinite-delivery, indefinite-quantity contract to manage and dispose of certain classes of seized cryptocurrency.
The decision notes that prior contract awards related to this mission had been cancelled and that the 2024 competition sought to restart the effort under revised requirements.
The Government Accountability Office ultimately denied the protest and left in place a 2024 award to Command Services & Support, a Virginia-based contractor. According to the decision, the Marshals Service evaluated proposals based on technical capability, past performance, and price, concluding that Command Services & Support offered the best value.
Public materials do not indicate that the government independently published a detailed crypto-specific control framework at the time of award.
These developments illustrate a recurring pattern. Technical limits in government systems pushed key functions to spreadsheets and ad hoc tools. At the same time, repeated procurement attempts delayed the deployment of institutional-grade infrastructure, even as the volume and value of seized assets grew and the Strategic Bitcoin Reserve policy extended the government’s holding horizon.
The CMDSS Case and Alleged Insider Theft
In early 2026, allegations of insider abuse at a government contractor turned those structural weaknesses into a concrete loss case. Posts by blockchain analyst ZachXBT on X in January 2026 described a pattern of transfers from government-labeled wallets to external accounts.
The posts attributed the movements to an individual using the handle "Lick" and linked the activity to Command Services & Support’s work for the Marshals Service.
On March 5, 2026, the FBI announced the arrest of John Daghita in Saint Martin. Coverage by CBS News and other outlets reported that investigators accused Daghita of diverting approximately $46 million in cryptocurrency from wallets associated with seized assets while connected to work performed by Command Services & Support.
Reporting indicated that Daghita’s father, Dean Daghita, was at the time an executive at the contractor, though the father’s level of knowledge or involvement has not been established in public court documents.
According to these accounts, the suspected theft relied on privileged access rather than a novel cryptographic exploit. The allegations describe a scenario in which a person with access to wallet credentials or operational systems moved funds from addresses containing proceeds of high-profile cases, including assets tied to the 2016 Bitfinex hack, into personal accounts.
Investigators have not alleged that technical flaws in underlying blockchains enabled the theft; instead, they have focused on misuse of access within the custody chain.
Public reporting and the FBI’s statements indicate that on-chain analysts and external observers played a central role in surfacing the activity. ZachXBT’s posts detailed transaction patterns, linked addresses, and behavioral clues, ultimately prompting wider media coverage and government attention.
That sequence suggests that existing government monitoring and reconciliation processes did not independently detect the diversions in real time.
The CMDSS case therefore illustrates how concentrated operational authority, coupled with opaque access-control models, can transform delegation into near-total control. When a contractor or its personnel can initiate transfers without multi-party review or immutable internal logging, risk shifts from technology failures to governance failures.
Why Single-Key Custody Conflicts with Institutional Standards
The custody model in many early government crypto programs reflects the technical defaults of first-generation blockchains. In a conventional single-key arrangement, control over a private key equates to unilateral authority over the address it secures.
Whoever holds or can reconstruct the private key can move assets without additional approvals. This property simplifies individual self-custody but conflicts with institutional norms developed in banking, asset management, and public finance.
Traditional custodians of sovereign assets use layered access control and separation of duties to limit the impact of any single compromised account. Large movements of cash or securities typically require multiple authorized signatories, with approval thresholds tied to transaction size and purpose.
Activities are logged in systems designed to preserve audit trails, and responsibilities are divided so that no individual can create, approve, and reconcile the same transaction.
By contrast, a custody setup that centers on a single private key or a small group of unstructured keys can only approximate those safeguards through off-chain procedures. Staff may be told not to initiate transfers without approvals or to log each movement in a spreadsheet, but the blockchain itself records only that a valid key signed a transaction.
If inventory logs can be edited without history, as the inspector-general found in 2022, external reviewers cannot reliably reconstruct whether required internal checks were followed.
Multi-party computation and software-based threshold schemes were introduced to mitigate these risks by splitting key material across multiple devices or participants. While these techniques improve resilience at the cryptographic level, they often place governance logic in vendor-controlled policy engines or coordination servers.
In many implementations, the blockchain still sees a single aggregated signature, and auditors must trust off-chain records to understand who approved what and under which conditions.
A 2025 public service announcement by the FBI’s Internet Crime Complaint Center on North Korea’s Lazarus Group illustrated how application-layer infrastructure can be exploited even when multisignature or threshold constructs are used. The advisory described how attackers have targeted front-end systems, orchestration tools, and related services surrounding digital asset platforms, rather than breaking base-layer cryptography.
This highlights that single points of operational control remain attractive attack surfaces.
Identity, Hierarchies, and On-Chain Audit Trails
Addressing these structural weaknesses requires bringing traditional identity and access control concepts into the core of digital asset governance. In practice, this means defining permissions in terms of named roles and verifiable identities, then binding those roles to transaction rules that a blockchain or coordination system enforces directly.
Instead of focusing on who knows a particular private key string, the system should encode which positions within an organization may propose or approve asset movements and under what thresholds.
A basic example is a hierarchical multisignature structure, where a low-risk transfer might require approvals from two operations staff, while larger transfers add a requirement for a compliance officer or senior official. In this model, each signature is tied to a role and recorded as part of the transaction’s history.
If a staff member leaves or a contractor changes, administrators can update role bindings without moving funds to new addresses, preserving continuity and reducing operational risk during personnel transitions.
For public institutions, auditability is as important as access control. A system that enforces multi-party approvals but leaves no immutable record of which signers participated still depends on internal logs that could be incomplete or altered.
Protocol-level or consensus-level enforcement of workflows can produce verifiable histories of proposals, approvals, rejections, and revocations, enabling external auditors to reconstruct decision paths without relying solely on custodian-provided spreadsheets.
This approach stands in direct contrast to the conditions described in the 2022 inspector-general audit, where inventory spreadsheets could be modified without edit history and reconciliations were sporadic.
An on-chain or tamper-evident audit trail would make it more difficult for unauthorized actors to conceal transfers and would also help legitimate staff document that they followed required protocols when handling seized assets or reserve holdings.
Building such structures does not require speculation about new cryptographic primitives. Identity-linked wallets, role-based access control, and threshold signature schemes are established concepts in both security research and enterprise systems.
The challenge for government custodians is to adopt architectures that apply these ideas to cryptocurrency directly, rather than layering them loosely around single-key accounts or vendor-specific black boxes.
Cross-Chain Portfolios and Delegation Boundaries
Federal digital asset holdings extend beyond bitcoin to include Ethereum, stablecoins, and a variety of other tokens seized in enforcement actions. The 2022 inspector-general report referenced multiple cryptocurrencies, and public auctions and filings over the past decade have involved assets from several major networks.
Each blockchain has its own transaction format and signature scheme, so custody frameworks must account for heterogeneity without fragmenting governance.
One response is to create chain-specific custody stacks, each with separate approval rules, monitoring tools, and vendors. While feasible, this approach increases complexity and creates new seams where inconsistent controls can emerge.
A more durable strategy is to design cross-chain governance anchored in common identity and role definitions, then use cryptographic proofs or standardized threshold schemes to enforce similar approval patterns across networks, even when on-chain capabilities differ.
Delegation is another critical dimension. Agencies often rely on external providers for wallet management, incident response, or disposal services because internal teams lack specialized expertise. If delegation is implemented by handing a contractor direct control of private keys or unbounded administrative access, the line between custodian and service provider blurs, and insider risk increases.
The Command Services & Support allegations show how weak boundaries can allow a contractor-linked actor to function effectively as the ultimate controller of seized assets.
A stronger model treats delegation as the temporary assignment of specific permissions, bounded by scope and time, without transferring ultimate control. In such a framework, a contractor may be authorized to propose transactions within a defined range or to perform technical operations necessary for consolidating assets, but final approvals remain with government officials or entities defined at a higher level in the hierarchy.
All delegated actions appear in the same immutable audit trail as internal activity.
Importantly, revocation must be enforceable without the delegate’s cooperation. If an agency decides to terminate a contractor relationship, it should be able to invalidate that party’s permissions at the governance level while retaining uninterrupted control of the underlying wallets and reserve accounts.
This design aligns more closely with established practices in traditional finance, where asset owners can change sub-custodians or administrators without moving portfolios or disclosing core credentials.
The Strategic Bitcoin Reserve Raises the Stakes
Executive Order 14233 altered the trajectory of federal cryptocurrency custody by transforming certain government bitcoin holdings from transient enforcement assets into a long-term reserve. The order instructs that designated forfeited bitcoin be transferred to accounts maintained by the Treasury and held as a strategic stockpile, although the precise pace and mechanics of transfers remain subject to legal and operational constraints.
In practical terms, this policy extends the duration for which the government must secure large digital asset balances. Previously, seized cryptocurrency was often sold after forfeiture, limiting the time window for custody risk exposures.
With a strategic reserve, holdings may remain on official balance sheets for years or decades, subject to ongoing market volatility and evolving threat landscapes. Controls designed for short-term disposition are not sufficient for a multi-decade reserve.
Public documents do not yet describe a comprehensive, government-wide standard for digital asset custody comparable to frameworks that exist for securities or cash. The Marshals Service audit, the Government Accountability Office decision on the Wave Digital protest, and reporting on the Command Services & Support case all suggest that agencies have been adapting legacy systems and piecemeal contracts to a problem that now has structural dimensions.
As federal holdings grow, so does the potential impact of any misconfiguration or breach. Arkham Intelligence and other analytics providers have noted that official wallets now represent a significant share of identifiable bitcoin balances, and market observers track government movements for their potential price effects.
At the same time, enforcement initiatives highlighted in Department of Justice press materials point to ongoing large seizures, indicating that inflows to government wallets are likely to continue.
The Strategic Bitcoin Reserve thus turns what might once have been viewed as a technical footnote in asset forfeiture into a core question of sovereign balance sheet management. It raises expectations that controls for digital assets match or exceed those used for other high-value public holdings and that accountability mechanisms keep pace with the transparency provided by public blockchains.
From Improvisation to Governance Architecture
The history of federal cryptocurrency custody to date shows how quickly stopgap measures can become embedded practices. Spreadsheet inventories and ad hoc wallet arrangements were introduced to handle an emerging asset class, then persisted as balances reached into the billions.
Contracting cycles and unresolved policy questions delayed the adoption of more robust systems, while operational concentration and weak segregation of duties created openings for loss.
Resolving these issues will require more than replacing one vendor with another. At minimum, institutional blockchain governance for public assets should rest on identity-linked permissions, hierarchical multisignature or threshold structures that reflect real-world approval chains, and audit trails that are tamper-evident and independently verifiable.
Delegation to contractors needs to be expressed as constrained rights within that framework, not as informal control over keys.
For cross-chain portfolios, governance designs should apply consistent oversight principles to all major holdings, even if technical implementations differ between networks. Where possible, approval and logging mechanisms should be visible at or near the protocol layer rather than hidden inside proprietary policy engines, reducing reliance on internal records that auditors cannot independently test.
The alleged theft associated with Command Services & Support, the unresolved Ethereum access loss, and the spreadsheet findings in the inspector-general’s report each represent different points of failure along the same chain.
Together, they highlight that sovereign digital asset custody is not only a cryptography problem. It is an institutional design problem that spans identity, authority, monitoring, and accountability.
As federal authorities continue to seize and retain cryptoassets, the question is less whether governments can hold bitcoin and other tokens and more whether they will align custody practices with the standards they already apply to other public assets.
The technical tools to do so exist. What remains is the translation of those tools into clear requirements, funded implementations, and sustained oversight that reduce the likelihood that the next major incident will again be discovered first by outside investigators reading public ledgers.
Sources
- Office of the Inspector General, U.S. Department of Justice. "Audit of the United States Marshals Service’s Management of Seized Cryptocurrency, Report 22-082." U.S. Department of Justice, 2022.
- Executive Office of the President. "Establishment of the Strategic Bitcoin Reserve and United States Digital Asset Stockpile, Executive Order 14233." Federal Register, 2025.
- U.S. Government Accountability Office. "Wave Digital Assets, LLC, B-423217, B-423217.2." U.S. Government Accountability Office, 2025.
- Arkham Intelligence. "U.S. Government Entity Holdings." Arkham Intelligence, 2026.
- CBS News Staff. "Federal contractor who allegedly stole $46 million in crypto arrested in Caribbean, FBI says." CBS News, 2026.
- Nikhilesh De. "U.S. Marshals Service Managing Seized Assets Can't Say How Much Crypto It Holds." CoinDesk, 2025.
- Federal Bureau of Investigation. "North Korean Cyber Threat Advisory on Cryptocurrency Thefts." Internet Crime Complaint Center (IC3), 2025.
- Beige Media. "Enterprise Standards for Digital Asset Governance." Beige Media, 2025.
- TradingView News Staff. "Revealed: The Biggest Bitcoin Holders Of 2026, According To Arkham Data." TradingView News, 2026.
- ZachXBT. Thread on alleged theft of seized crypto assets linked to U.S. government wallets. X, 2026.
Article Credits
