US prosecutors have charged a Maryland man in connection with two hacks of the Uranium Finance cryptocurrency exchange that led to losses exceeding $50 million.
Jonathan Spalletta, also known as “Cthulhon” and “Jspalletta,” is accused of abusing vulnerabilities in Uranium Finance smart contracts to siphon assets from the platform. If convicted, he could face up to 10 years in prison for computer fraud and 20 years for money laundering.
“As alleged, Jonathan Spalletta repeatedly hacked smart contracts to steal millions of dollars’ worth of other people’s money and destroyed a cryptocurrency exchange in the process,” said U.S. Attorney Jay Clayton. “In describing his alleged ‘heist,’ Spalletta told another individual, ‘Crypto is just fake internet money anyway.’”
The indictment outlines two incidents in 2021. In the first, he used a series of transactions to take advantage of a flaw in the exchange’s code, allowing him to withdraw more cryptocurrency rewards than permitted and drain a liquidity pool of nearly all its tokens, netting about $1.4 million. In messages cited by prosecutors, he later described the incident as a “crypto heist” and acknowledged exploiting a bug.
Authorities say he then pressured the platform into letting him keep roughly $386,000 as a so-called bug bounty in exchange for returning part of the stolen assets.
Weeks later, he carried out a second attack, using another flaw across 26 liquidity pools to extract about $53.3 million, which led to the platform shutting down. Investigators allege he laundered the assets through a series of transactions, including the use of a cryptocurrency mixer.
After laundering the funds, Spalletta spent the money on high-value collectibles, including rare Magic: The Gathering and Pokémon cards, antique Roman coins, and items such as a Black Lotus card, sealed Alpha Booster packs, and a piece of fabric from the Wright brothers’ airplane that was later carried to the moon, prosecutors said.
