Key Takeaways:
- US prosecutors charged Jonathan Spalletta with fraud and money laundering.
- The indictment covers two 2021 exploits totaling over $53 million.
- Spalletta allegedly laundered funds through Tornado Cash for rare collectibles.
Back
Back
US Charges Hacker in $53M Uranium Finance Exploit
A Maryland man faces up to 30 years in prison after US authorities charged him with computer fraud and money laundering for allegedly stealing over $53 million from the decentralized exchange Uranium Finance in 2021.
“As alleged, Jonathan Spalletta repeatedly hacked smart contracts to steal millions of dollars’ worth of other people’s money for himself, and destroyed a cryptocurrency exchange in the process,” said US Attorney Jay Clayton in a statement.
The indictment, unsealed Monday, details two separate attacks. On April 8, 2021, Jonathan Spalletta, 36, allegedly exploited a bug to drain approximately $1.4 million, later keeping about $386,000 as a sham “bug bounty.” A second exploit on April 28 across 26 liquidity pools netted an additional $53.3 million, leading to the platform’s collapse.
This case tests the “code is law” argument often debated in decentralized finance, suggesting that exploiting technical loopholes may not be a permissible legal defense. Prosecutors allege Spalletta laundered the stolen funds through the crypto mixer Tornado Cash and purchased millions in collectibles, including rare Pokémon cards and a Roman coin from the era of Julius Caesar.
Laundering Trail and High-Value Seizures
According to the indictment, Spalletta funneled approximately $26 million through Tornado Cash between April 2021 and November 2023 to obscure the funds' origins. The laundering trail, previously outlined in a December 2023 report by on-chain analyst ZachXBT, showed how the funds were moved across blockchains and used to acquire high-value assets.
Purchases included a Black Lotus Magic: The Gathering card for about $500,000 and first-edition Pokémon sets for over $1 million. In February 2025, federal agents seized approximately $31 million in cryptocurrency linked to the scheme. Spalletta, who once allegedly wrote that crypto is “all fake internet money anyway,” surrendered to authorities on Monday.
The prosecution highlights a growing focus on exploits in the DeFi sector, where smart contract vulnerabilities remain a significant threat. “Exploiting smart contract vulnerabilities may be technically possible, but that doesn’t mean that courts will view it as legally permissible—especially when paired with laundering and concealment,” Angela Ang, a policy expert at TRM Labs, told Decrypt.
This article is for informational purposes only and does not constitute investment advice.
[1] Alleged Uranium Finance Hacker Faces 30 Years Over Crypto Theft[2] US Charges Hacker Behind $53 Million Uranium Finance Exploit[3] Maryland man charged in $50 million Uranium Finance hack after U.S. seized $31 million in crypto[4] Security News This Week: Iranian Hackers Breached Kash Patel's Email—but Not the FBI's[5] US Charges Hacker Behind $53 Million Uranium Finance Exploit[6] Alleged Uranium Finance Hacker Faces 30 Years Over Crypto Theft
