Key Points
- Federal prosecutors have indicted Jonathan Spalletta, 36, from Rockville, Maryland, on computer fraud and money laundering charges
- The suspect allegedly conducted two separate attacks on Uranium Finance during April 2021, extracting more than $50 million in digital assets
- Stolen funds were allegedly cleaned through Tornado Cash before being used to acquire high-value collectible items
- Law enforcement recovered approximately $31 million in cryptocurrency connected to the attacks in February 2025
- If found guilty on all charges, Spalletta could serve a maximum of 30 years behind bars
Federal authorities have brought charges against Jonathan Spalletta, a 36-year-old from Maryland, alleging he orchestrated two devastating cyberattacks on the decentralized finance platform Uranium Finance in spring 2021, siphoning more than $50 million in cryptocurrency.
The indictment became public when the Southern District of New York unsealed it this Monday. Spalletta turned himself in to federal agents in Manhattan on the same date and made his initial court appearance before U.S. Magistrate Ona Wang.
Uranium Finance operated as a BNB Chain-based variant of the popular automated market maker Uniswap. The platform went live in April 2021 but was forced to cease operations shortly thereafter when the security breaches depleted its reserves.
According to prosecutors, the initial breach took place on April 8, 2021, mere days following the platform’s debut. Spalletta purportedly identified and leveraged a vulnerability within Uranium’s reward distribution system, allowing him to extract approximately $1.4 million in cryptocurrency assets beyond his legitimate entitlements.
Following the initial incident, negotiations resulted in a private settlement. Spalletta agreed to what authorities now characterize as a fraudulent “bug bounty” arrangement, returning the majority of stolen assets while retaining roughly $386,000.
The second, far more destructive breach occurred on April 28, 2021. The defendant allegedly discovered and exploited a critical flaw in the smart contract code that governed withdrawal restrictions across 26 separate liquidity pools, making off with $53.3 million in various cryptocurrencies, including Bitcoin, Ether, and the platform’s native U92 token.
In the aftermath of the second attack, Uranium Finance took its website offline, leaving victims with minimal information regarding the incident or the perpetrator’s identity.
In February 2025, federal agents confiscated roughly $31 million worth of cryptocurrency assets linked to these exploits. At that time, authorities did not disclose any information about potential suspects.
Lavish Spending on Rare Collectibles
According to the indictment, Spalletta engaged in sophisticated money laundering operations involving multiple transactions, notably utilizing Tornado Cash, a cryptocurrency tumbling service designed to obscure transaction origins.
The defendant allegedly converted his ill-gotten gains into premium collectible items. Among his purchases was a Black Lotus Magic: The Gathering card, acquired for approximately $500,000, along with 18 unopened Alpha booster packs valued at roughly $1.5 million.
Additional alleged acquisitions included first-edition Pokémon card sets exceeding $1 million in value, a rare ancient Roman “Eid Mar” coin purchased for about $601,500, and even a fragment of fabric from the Wright brothers’ historic first airplane. Authorities confiscated these items during a search of Spalletta’s home.
According to communications referenced in the charging documents, Spalletta allegedly told an acquaintance: “I did a crypto heist … Crypto is all fake internet money anyway.”
Legal Consequences and Maximum Penalties
Spalletta is facing one count of computer fraud, punishable by up to 10 years imprisonment, alongside one count of money laundering, which carries a maximum sentence of 20 years.
U.S. Attorney Jay Clayton stated: “Stealing from a crypto exchange is stealing — the claim that ‘crypto is different’ does not change that.”
This case represents the first instance where authorities have publicly identified a specific individual in connection with the Uranium Finance incidents, more than four years following the original attacks.
