Key Points
- Federal prosecutors charged Jonathan Spalletta, 36, from Rockville, Maryland, with money laundering and computer fraud
- The defendant allegedly conducted two separate cyberattacks on Uranium Finance during April 2021, extracting more than $50 million
- Stolen digital assets were allegedly cleaned through Tornado Cash and converted into high-end collectibles
- Federal agents recovered $31 million in cryptocurrency connected to the attacks in February 2025
- If found guilty, Spalletta could receive a maximum sentence of 30 years behind bars
Federal authorities have filed criminal charges against Jonathan Spalletta, a 36-year-old from Rockville, Maryland, alleging he orchestrated two separate cyberattacks on the decentralized finance platform Uranium Finance in April 2021, resulting in losses exceeding $50 million.
The criminal indictment was made public by prosecutors from the Southern District of New York this Monday. Spalletta turned himself in to federal authorities in Manhattan on the same date and made his initial court appearance before U.S. Magistrate Ona Wang.
Uranium Finance operated as a BNB Chain-based derivative of the automated market maker protocol Uniswap. The platform went live in April 2021 but ceased operations soon after the breaches depleted its reserves.
The initial breach took place on April 8, 2021, mere days following the platform’s debut. According to prosecutors, Spalletta leveraged a vulnerability in Uranium’s reward distribution system to extract significantly more digital currency than entitled, absconding with approximately $1.4 million.
Following the initial incident, a private settlement was arranged. Spalletta participated in negotiations for what authorities characterize as a fraudulent “bug bounty” agreement, returning the majority of stolen funds while retaining approximately $386,000.
The second, substantially larger breach occurred on April 28, 2021. Spalletta allegedly manipulated a coding flaw in the smart contract that controlled withdrawal caps across 26 separate liquidity pools, draining $53.3 million in various cryptocurrencies including Bitcoin, Ether, and the platform’s proprietary U92 token.
In the aftermath of the second attack, Uranium Finance permanently closed its online operations, leaving affected users with minimal details regarding the incident or the perpetrator’s identity.
In February 2025, law enforcement officials confiscated roughly $31 million in digital currency linked to the exploits. Initially, authorities did not disclose any information about potential suspects.
Expenditure of Illicit Proceeds
According to the prosecution, Spalletta channeled the stolen cryptocurrency through numerous sophisticated transactions, including utilizing Tornado Cash, a cryptocurrency tumbling platform.
He subsequently allegedly converted the proceeds into premium collectibles. His purchases reportedly included a Black Lotus Magic: The Gathering card valued at approximately $500,000 and 18 factory-sealed Alpha booster packs totaling roughly $1.5 million.
Additional alleged acquisitions included first-edition Pokémon card sets exceeding $1 million in value, an ancient Roman “Eid Mar” commemorative coin purchased for about $601,500, and a fragment of fabric from the Wright brothers’ historic aircraft. Law enforcement confiscated these items during a raid of his home.
According to messages referenced in the charging documents, Spalletta reportedly told an associate: “I did a crypto heist … Crypto is all fake internet money anyway.”
Criminal Charges and Possible Penalties
Spalletta is charged with one count of computer fraud, punishable by up to 10 years imprisonment, and one count of money laundering, carrying a maximum sentence of 20 years.
U.S. Attorney Jay Clayton stated: “Stealing from a crypto exchange is stealing — the claim that ‘crypto is different’ does not change that.”
This prosecution represents the first instance where a specific individual has been publicly identified in connection with the Uranium Finance incident, more than four years following the original breaches.
