A US national has been charged for allegedly hacking the decentralized cryptocurrency exchange Uranium Finance, a breach that resulted in losses of approximately $55 million and ultimately forced the platform to shut down.
Jonathan Spalletta, 36, from Rockville, Maryland, is accused of exploiting smart contract vulnerabilities in 2021 in what became one of the largest decentralized finance (DeFi) attacks at the time.
Timeline of the Attacks
The first incident occurred on April 8, 2021, when Spalletta allegedly manipulated Uranium’s reward distribution system. This allowed him to withdraw about $1.4 million in cryptocurrency.
Following the attack, he reportedly contacted Uranium and negotiated a fake bug bounty arrangement. Under this agreement, he kept approximately $386,000 while returning around $1 million to the platform.
However, the activity did not stop there.
On April 28, 2021, Spalletta allegedly carried out a second, far more damaging exploit. By leveraging another vulnerability in Uranium’s smart contracts, he withdrew significantly more funds than permitted, draining roughly $53.3 million from 26 liquidity pools. This massive loss led to the exchange shutting down.
Laundering and Use of Stolen Funds
According to the indictment, Spalletta attempted to conceal the stolen cryptocurrency through complex transactions, including the use of the crypto mixer Tornado Cash.
The laundered funds were then used to purchase high-value collectibles, including:
- Magic: The Gathering cards
- Pokémon cards
- Antique Roman coins
These assets were reportedly worth millions of dollars.
Law Enforcement Action
In February 2025, US authorities announced the seizure of approximately $31 million in cryptocurrency linked to the attack. The assets had been spread across multiple wallets and remained inactive for nearly three years before being moved again in 2024.
Spalletta later surrendered to authorities and now faces charges of:
- Computer fraud
- Money laundering
If convicted, he could face up to 10 years in prison for fraud and 20 years for money laundering.
Key Takeaway
This case highlights the risks associated with smart contract vulnerabilities in DeFi platforms. It also underscores how attackers may exploit systems multiple times and attempt to legitimize theft through tactics like fake bug bounty claims and sophisticated laundering methods.
1 Comment
Leave a Reply
Related Articles
BlackBerry Report: Governments Rely on WhatsApp Despite Widespread Misunderstanding of Messaging Security
A new report from BlackBerry Secure Communications highlights widespread confusion among government...
UK Opens Formal Investigation Into Telegram Over CSAM and Child Safety Compliance Concerns
The United Kingdom’s communications regulator, Ofcom, has launched a formal investigation into...
Over 1,500 Perforce Servers Still Expose Sensitive Source Code and Critical Data to Attackers
Thousands of internet-facing Perforce P4 servers are still exposing sensitive data due...
NGate Malware Hijacks NFC Payments on Android to Steal Card Data
A newly discovered variant of the NGate Android malware is targeting users...
This case highlights the real risks in DeFi platforms where smart contract flaws can lead to massive losses. It’s also a reminder that exploiting vulnerabilities for profit—especially under the guise of a “bug bounty”—still carries serious legal consequences.