US authorities unsealed an indictment on March 31, 2026 charging Jonathan Spalletta, a 36-year-old Maryland man also known as “Cthulhon” and “Jspalletta,” with computer fraud and money laundering in connection with two 2021 attacks on Uranium Finance, a decentralized exchange, that drained approximately $53.3 million from the platform and led to its collapse.
Spalletta surrendered to authorities following the charges and faces a maximum sentence of 10 years for computer fraud and 20 years for money laundering, with potential prison time of up to 30 years if convicted on both counts.
Two Separate Exploits in April 2021 Drained Uranium Finance Liquidity Pools
Prosecutors allege that Spalletta carried out a first attack on April 8, 2021, exploiting a rewards-tracking bug in Uranium’s smart contracts to repeatedly drain a liquidity pool of approximately $1.4 million. Roughly two weeks later, he allegedly wrote to another individual stating, “I did a crypto heist of $1.5MM… There was a bug in a smart contract, and I exploited it… Crypto is all fake internet money anyway.”
Authorities say Spalletta returned most of the stolen funds after negotiating with the platform but retained approximately $386,000 under what prosecutors describe as a sham bug bounty arrangement. On April 28, 2021, he allegedly exploited another flaw across 26 liquidity pools, obtaining approximately $53.3 million in cryptocurrency and leaving Uranium Finance unable to continue operating.
The indictment details that between April 2021 and November 2023, Spalletta allegedly funneled approximately $26 million through Tornado Cash, moving funds across multiple blockchains and wallets to obscure their origin. Onchain investigator ZachXBT had previously traced the laundering trail in a December 2023 report, identifying how stolen ETH was withdrawn from the mixer and routed through brokers to purchase high-value collectibles.
Stolen Funds Used to Purchase Rare Collectibles and Cryptocurrency
According to the indictment, Spalletta used the laundered funds to purchase rare Magic: The Gathering and Pokémon trading cards, a Julius Caesar-era coin, and a piece of fabric from the original Wright brothers’ airplane that was subsequently transported to the surface of the moon by astronaut Neil Armstrong on the first moon landing. The purchases represented a portion of the approximately $31 million in cryptocurrency tied to the alleged scheme that law enforcement seized in February 2025.
US Attorney Jay Clayton stated in a release that stealing from a crypto exchange is stealing, and the claim that “crypto is different” does not change that. Clayton noted that in describing the alleged heist, Spalletta told another individual that crypto is just fake internet money anyway.
Legal Experts Say Case Tests ‘Code Is Law’ Defense in DeFi Exploits
The case fits into a broader effort to address DeFi exploits that combine technical loopholes with misuse of funds. TRM Labs head of policy and strategic partnerships for Asia Pacific Angela Ang stated that the idea that code is law is increasingly being tested in court. Ang noted that exploiting smart contract vulnerabilities may be technically possible, but that does not mean courts will view it as legally permissible—especially when paired with laundering and concealment.
Ang added that stronger auditing and insurance mechanisms can reduce the likelihood and impact of exploits but are not a silver bullet. Organizations need a multi-layered defense including regular security audits, secure coding practices, multi-signature controls, and a strong security culture rather than relying on any single safeguard.
The charges against Spalletta include one count of computer fraud carrying a maximum sentence of 10 years and one count of money laundering carrying a maximum sentence of 20 years in prison. The indictment was filed in the US Attorney’s Office for the Southern District of New York.
FAQ
What charges does Jonathan Spalletta face in the Uranium Finance exploit case?
Spalletta faces one count of computer fraud, carrying a maximum sentence of 10 years, and one count of money laundering, carrying a maximum sentence of 20 years. He could face up to 30 years in prison if convicted on both counts.
How much cryptocurrency was stolen in the Uranium Finance hacks?
Prosecutors allege Spalletta stole approximately $1.4 million in a first attack on April 8, 2021, and approximately $53.3 million in a second attack on April 28, 2021, bringing the total to approximately $54.7 million. Law enforcement seized approximately $31 million in cryptocurrency tied to the alleged scheme in February 2025.
What items did Spalletta allegedly purchase with the stolen funds?
According to the indictment, Spalletta used laundered funds to purchase rare Magic: The Gathering and Pokémon trading cards, a Julius Caesar-era coin, and a piece of fabric from the original Wright brothers’ airplane that was transported to the moon by astronaut Neil Armstrong during the first moon landing.
Disclaimer: The information on this page may come from third parties and does not represent the views or opinions of Gate. The content displayed on this page is for reference only and does not constitute any financial, investment, or legal advice. Gate does not guarantee the accuracy or completeness of the information and shall not be liable for any losses arising from the use of this information. Virtual asset investments carry high risks and are subject to significant price volatility. You may lose all of your invested principal. Please fully understand the relevant risks and make prudent decisions based on your own financial situation and risk tolerance. For details, please refer to
Disclaimer.
