Maryland Resident Accused of Hacking Uranium Finance DeFi Platform, Stealing $50 Million in 2021

TLDR

• Jonathan Spalletta, 36, from Rockville, Maryland, is facing charges of computer fraud and money laundering.
• He is accused of hacking Uranium Finance on two occasions in April 2021, making off with more than $50 million.
• The illicit proceeds were allegedly laundered via Tornado Cash and used to buy rare collectibles.
• In February 2025, law enforcement seized $31 million in cryptocurrency connected to the hack.
• If found guilty on both charges, Spalletta could be sentenced to a maximum of 30 years in prison.

---

(SeaPRwire) –   Federal prosecutors have charged Jonathan Spalletta, a 36-year-old from Maryland, for executing two separate hacks on the decentralized exchange Uranium Finance in April 2021, which resulted in a loss of over $50 million from the platform.

(1/2) Uranium migration has been exploited, the following address has 50m in it The only thing that matters is keeping the funds on BSC, everyone please start tweeting this address to Binance immediately asking them to stop transfers.

— Uranium Finance (@UraniumFinance) April 28, 2021

The indictment was made public by the Southern District of New York on Monday. That same day, Spalletta turned himself in to Manhattan authorities and had an appearance before U.S. Magistrate Ona Wang.

Uranium Finance operated as a BNB Chain fork of the automated market maker Uniswap. It commenced operations in April 2021 but was forced to close soon after the attacks because it ran out of money.

The initial hack took place on April 8, 2021, mere days after the platform’s launch. According to allegations, Spalletta took advantage of a vulnerability in Uranium’s rewards system to withdraw significantly more cryptocurrency than he was entitled to, making away with approximately $1.4 million.

Subsequent to the first incident, a private agreement was made. Spalletta is said to have negotiated what prosecutors are calling a fraudulent “bug bounty,” returning the bulk of the funds but retaining about $386,000.

A second, more substantial attack happened on April 28, 2021. Spalletta allegedly exploited a mistake in the smart contract that controlled withdrawal limits for 26 liquidity pools, stealing $53.3 million in cryptocurrency, such as Bitcoin, Ether, and Uranium’s native token, U92.

In the wake of the second hack, Uranium Finance deactivated its website, leaving victims with minimal details about the event or the perpetrator.

Authorities confiscated around $31 million in cryptocurrency linked to the exploits in February 2025. No information about a potential suspect was disclosed at that time.

How the Stolen Funds Were Spent

According to the prosecution, Spalletta laundered the stolen cryptocurrency using a sequence of intricate transactions, which involved the crypto mixing service Tornado Cash.

He then purportedly used the money to acquire valuable collectibles. Among the purchases were a Black Lotus Magic: The Gathering card valued at approximately $500,000 and 18 sealed Alpha booster packs costing about $1.5 million.

He is also accused of buying first-edition Pokémon sets valued at over $1 million, an ancient Roman “Eid Mar” coin for around $601,500, and a fragment of fabric from the Wright brothers’ original airplane. These items were confiscated during a search of his home.

In communications referenced in the indictment, Spalletta told an associate: “I did a crypto heist … Crypto is all fake internet money anyway.”

Charges and Potential Sentence

Spalletta is charged with one count of computer fraud, which has a maximum prison sentence of 10 years, and one count of money laundering, carrying a potential 20-year sentence.

U.S. Attorney Jay Clayton stated: “Stealing from a crypto exchange is stealing — the claim that ‘crypto is different’ does not change that.”

This indictment represents the first public identification of a defendant in the Uranium Finance case, more than four years following the hacks.