A Maryland man has been charged with stealing more than $53m after allegedly hacking the Uranium Finance cryptocurrency exchange twice in 2021 and laundering the proceeds through a crypto mixer.
Jonathan Spalletta, 36, appeared in court after surrendering to law enforcement, according to US prosecutors. Authorities allege the attacks drained most of the exchange’s assets and forced the platform to shut down due to a lack of funds. Prosecutors said the case highlights the risks associated with vulnerabilities in decentralized finance platforms.
Officials said the alleged attacks involved exploiting flaws in smart contract code. In one instance, Spalletta manipulated a rewards system to withdraw funds he was not entitled to receive.
Later, investigators said he exploited a coding error that allowed him to withdraw large amounts of cryptocurrency while depositing almost nothing.
Two Attacks Shut Down Crypto Exchange
According to the indictment, the attacks took place in April 2021 and targeted liquidity pools on the exchange.
The alleged incidents included:
-
Exploiting a rewards calculation flaw to steal about $1.4m
-
Negotiating a sham bug bounty worth about $386,000
-
Exploiting a coding error affecting transaction verification
-
Draining 26 liquidity pools of roughly $53.3m
Three weeks after the first breach, the second attack reportedly led to the withdrawal of nearly 90% of Uranium Finance’s assets, prompting the exchange to shut down immediately.
Read more on cryptocurrency exchange security: Hundreds of Malicious Crypto Trading Add-Ons Found in OpenClaw
Laundering and Asset Seizures
Prosecutors alleged the stolen cryptocurrency was laundered through multiple decentralized exchanges and the Tornado Cash cryptocurrency mixer. Authorities said the funds were later used to purchase rare collectibles and historical items, including trading cards and an ancient coin.
In February 2025, law enforcement seized collectibles from Spalletta’s residence and recovered approximately $31m in cryptocurrency linked to the case.
“As alleged, Jonathan Spalletta repeatedly hacked smart contracts to steal millions of dollars’ worth of other people’s money for himself,” US Attorney Jay Clayton said. “Stealing from a crypto exchange is stealing; the claim that crypto is different does not change that.”
Spalletta faces one computer fraud charge carrying a maximum sentence of 10 years and a money laundering charge carrying up to 20 years if convicted.
