Maryland Man Charged Over $53M Uranium Finance Crypto Hack
Jonathan Spalletta, 36, has been charged with hacking the Uranium Finance decentralized exchange twice in April 2021, stealing over $53 million by exploiting smart contract flaws and laundering proceeds through Tornado Cash.
A Maryland man has been charged with stealing more than $53 million after allegedly hacking the Uranium Finance cryptocurrency exchange twice in April 2021 and laundering the proceeds through the Tornado Cash crypto mixer. Jonathan Spalletta, 36, surrendered to law enforcement and appeared in court, according to US prosecutors. The case highlights persistent security risks in decentralized finance (DeFi) platforms, where smart contract vulnerabilities can lead to catastrophic losses.
The attacks targeted Uranium Finance's liquidity pools, exploiting two distinct coding flaws. In the first incident, Spalletta manipulated a rewards calculation bug to steal approximately $1.4 million. He then negotiated a sham bug bounty worth about $386,000, apparently to cover his tracks. Three weeks later, he exploited a critical transaction verification error that allowed him to drain 26 liquidity pools of roughly $53.3 million, removing nearly 90% of the exchange's total assets. The platform shut down immediately after the second breach.
Prosecutors allege that Spalletta laundered the stolen cryptocurrency through multiple decentralized exchanges and the Tornado Cash mixer, a service that obfuscates transaction trails on the blockchain. The laundered funds were later used to purchase rare collectibles and historical items, including trading cards and an ancient coin. In February 2025, law enforcement seized these items from Spalletta's residence and recovered approximately $31 million in cryptocurrency linked to the case.
"As alleged, Jonathan Spalletta repeatedly hacked smart contracts to steal millions of dollars' worth of other people's money for himself," US Attorney Jay Clayton said. "Stealing from a crypto exchange is stealing; the claim that crypto is not different." The statement underscores the government's stance that digital asset theft is treated no differently from traditional financial crimes.
Spalletta faces one count of computer fraud, carrying a maximum sentence of 10 years, and one count of money laundering, carrying up to 20 years if convicted. The charges reflect the severity of the financial damage and the sophisticated laundering scheme. The case also serves as a warning to DeFi platforms, which have been frequent targets of hackers exploiting smart contract vulnerabilities.
The Uranium Finance hack is among the largest DeFi thefts of 2021, a year that saw record losses from crypto exchange breaches. While the recovery of $31 million is significant, the incident underscores the challenges of securing decentralized protocols and tracing stolen assets through mixers. The outcome of this case may set a precedent for prosecuting DeFi-related crimes, particularly those involving privacy tools like Tornado Cash.