A US national has been charged for allegedly hacking the decentralized cryptocurrency exchange Uranium Finance, a breach that resulted in losses of approximately $55 million and ultimately forced the platform to shut down.
Jonathan Spalletta, 36, from Rockville, Maryland, is accused of exploiting smart contract vulnerabilities in 2021 in what became one of the largest decentralized finance (DeFi) attacks at the time.
Timeline of the Attacks
The first incident occurred on April 8, 2021, when Spalletta allegedly manipulated Uranium’s reward distribution system. This allowed him to withdraw about $1.4 million in cryptocurrency.
Following the attack, he reportedly contacted Uranium and negotiated a fake bug bounty arrangement. Under this agreement, he kept approximately $386,000 while returning around $1 million to the platform.
However, the activity did not stop there.
On April 28, 2021, Spalletta allegedly carried out a second, far more damaging exploit. By leveraging another vulnerability in Uranium’s smart contracts, he withdrew significantly more funds than permitted, draining roughly $53.3 million from 26 liquidity pools. This massive loss led to the exchange shutting down.
Laundering and Use of Stolen Funds
According to the indictment, Spalletta attempted to conceal the stolen cryptocurrency through complex transactions, including the use of the crypto mixer Tornado Cash.
The laundered funds were then used to purchase high-value collectibles, including:
- Magic: The Gathering cards
- Pokémon cards
- Antique Roman coins
These assets were reportedly worth millions of dollars.
Law Enforcement Action
In February 2025, US authorities announced the seizure of approximately $31 million in cryptocurrency linked to the attack. The assets had been spread across multiple wallets and remained inactive for nearly three years before being moved again in 2024.
Spalletta later surrendered to authorities and now faces charges of:
- Computer fraud
- Money laundering
If convicted, he could face up to 10 years in prison for fraud and 20 years for money laundering.
Key Takeaway
This case highlights the risks associated with smart contract vulnerabilities in DeFi platforms. It also underscores how attackers may exploit systems multiple times and attempt to legitimize theft through tactics like fake bug bounty claims and sophisticated laundering methods.
1 Comment
Leave a Reply to scsec Cancel reply
Related Articles
Outdated Systems and Vulnerable Apps Leave Most Enterprises Exposed to Cyberattacks
A recent security analysis highlights a widespread problem in enterprise environments: many...
APT28 Turns Vulnerable Routers into a Global DNS Hijacking and Espionage Network
A Russia-linked cyber espionage group, widely tracked as APT28, has been connected...
Iran-Linked Hackers Disrupt U.S. Critical Infrastructure via PLC Attacks
Iran-Linked Hackers Target U.S. Critical Infrastructure via Internet-Exposed PLCs Iran-affiliated cyber actors...
Cybercrime, FBI IC3, Investment Fraud, Ransomware, Cryptocurrency Scams
FBI Reports Cybercrime Losses Nearly $21 Billion in 2025 The FBI’s Internet...
This case highlights the real risks in DeFi platforms where smart contract flaws can lead to massive losses. It’s also a reminder that exploiting vulnerabilities for profit—especially under the guise of a “bug bounty”—still carries serious legal consequences.