The US Department of Justice filed charges against 36-year-old Jonathan Spalletta of Rockville, Maryland.
Prosecutors charged him with computer fraud and money laundering in connection with two hacking attacks on decentralized exchange Uranium Finance in April 2021. Total losses exceeded $53 million.
Spalletta surrendered to authorities on Monday. He now faces up to 30 years in prison—10 years for computer fraud and 20 years for money laundering.
How the Attacks Happened
On April 8, 2021, Spalletta exploited a flaw in a smart contract and withdrew about $1.4 million. After that, he allegedly extorted a “bug bounty” of $386,000 from the platform, threatening further attacks.
On April 20, he executed a second, much larger attack. Exploiting a coding error—a single incorrect character—he drained funds from 26 liquidity pools. He took nearly all of the platform’s assets, approximately $53.3 million. Uranium Finance ceased operations afterward.
Spalletta laundered part of the stolen funds through Tornado Cash. He then spent the money on rare collectibles. These included Magic: The Gathering cards (including a Black Lotus worth $500,000), Pokémon sets, an ancient Roman coin, and other artifacts.
In February 2025, law enforcement seized $31 million in cryptocurrency and the collectible items from him.
What This Means for the Industry
The case shows that US authorities continue to aggressively pursue smart contract exploits, even if the hacker considers them a “bug.” Prosecutors emphasize that theft is theft, regardless of whether the assets sit on a blockchain.
