Key Highlights
- Jonathan Spalletta was accused of stealing about $54 million from Uranium Finance in two crypto hacks in April 2021.
- He laundered the stolen funds using cryptocurrency mixers and spent the money on high-value collectibles like rare Magic and Pokémon cards.
- U.S. authorities seized $31 million in crypto in 2025. He faces up to 10 years for computer fraud and 20 years for money laundering.
U.S. authorities have charged the hacker responsible for carrying out two major attacks on the decentralized cryptocurrency exchange Uranium Finance in April 2021. The hacks drained about $54 million in cryptocurrency and forced the platform to shut down.
According to the official release, Jonathan Spalletta, 36, also known as “Cthulhon” and “Jspalletta,” was charged with computer fraud and money laundering. He surrendered to authorities after an indictment was made public by the U.S. Attorney’s Office for the Southern District of New York.
How the hacks happened
U.S. Attorney Jay Clayton said Spalletta exploited errors in the platform’s smart contracts to steal funds. According to prosecutors, Spalletta told an associate in a message, “Crypto is all fake internet money anyway.”
Authorities said he tried to hide the stolen money by moving it through Tornado Cash, a service that mixes cryptocurrency to make transactions harder to trace.
Spalletta reportedly carried out two separate hacks in April 2021. On April 8, he took advantage of Uranium’s rewards system, which gives users extra cryptocurrency for participating in the platform. By repeating certain transactions, he withdrew far more rewards than allowed, taking approximately $1.4 million.
Two weeks later, he negotiated a sham “bug bounty” deal with Uranium to keep $386,000, while returning the rest.
On April 28, he identified another vulnerability and exploited it across 26 liquidity pools, draining approximately $53.3 million. This second attack ultimately left Uranium Finance unable to continue operations.
What he used the money for
After stealing the funds, Spalletta spent a portion on high-value collectibles. These included a “Black Lotus” Magic: The Gathering card worth about $500,000, 18 sealed Alpha booster packs valued at $1.5 million, first-edition Pokémon cards worth over $1 million, a piece of fabric from the Wright brothers’ airplane that traveled to the moon, and Roman coins valued at more than $600,000.
Authorities recovered many of these items from his residence.
Facing up to 30 years in jail
On February 24, 2025, law enforcement seized approximately $31 million in cryptocurrency connected to the Uranium hack. Spalletta now faces a maximum sentence of 10 years for computer fraud and 20 years for money laundering.
The case is being prosecuted by the Office’s Complex Frauds and Cybercrime Unit and assigned to U.S. District Judge Jed S. Rakoff, with initial proceedings before U.S. Magistrate Judge Ona T. Wang.
Homeland Security Investigations Acting Special Agent Kevin Murphy said, “HSI will continue to aggressively pursue those who exploit vulnerabilities in emerging technologies for personal gain and ensure that justice is served for victims of these crimes.”
Broader context
Uranium Finance was a decentralized platform that allowed users to deposit and trade cryptocurrencies through liquidity pools. The case shows the risks of decentralized finance platforms, and the U.S. authorities have been actively making efforts to hold hackers accountable.
However, the number of similar cases keeps piling up, especially crimes that involve cryptocurrency. Last week, Blockchain security firm CertiK reported that a crypto firm, Movie Token (MT), suffered an exploit, with about $242,000 drained from its liquidity pool.
In another case, the U.S. Treasury Department imposed sanctions on six individuals and two entities that are related to North Korea’s scheme using fake remote IT workers to siphon money from American companies.
Overall, while the adoption of cryptocurrency and DeFi platforms continues to grow, so do associated risks. Authorities in the U.S. and globally are increasing enforcement efforts to ensure that bad actors are identified and prosecuted.
Also Read: UXLINK Hacker Converts 5,496 ETH to 11M DAI After $44M Breach
