US Charges Hacker Behind $53 Million Uranium Finance Exploit

In brief

• U.S. authorities have charged Jonathan Spalletta with exploiting Uranium Finance, draining tens of millions of dollars from the company that led to its collapse.
• Prosecutors say he allegedly abused smart contract flaws, later moving funds through mixers and buying high-value collectibles.
• About $31 million in crypto linked to the case was seized last year.

An alleged crypto hacker who once described digital assets as “fake internet money” is now in U.S. custody, accused of carrying out a $53 million exploit that helped bring down a decentralized exchange, in a case an expert says shows courts are taking a harder look at whether smart contract exploits can be treated as lawful. U.S. authorities on Monday unsealed an indictment charging Jonathan Spalletta, also known as “Cthulhon” and “Jspalletta,” with computer fraud and money laundering in connection with two 2021 attacks on Uranium Finance, a decentralized exchange.  Spalletta surrendered to authorities on Monday following the charges, now facing a maximum of 10 years on the computer fraud count and 20 years on the money laundering charge.

 “Stealing from a crypto exchange is stealing—the claim that ‘crypto is different’ does not change that.”U.S. Attorney Jay Clayton said in a statement.  The case fits into a wider effort to address DeFi exploits that combine technical loopholes with misuse of funds. “The idea that ‘code is law’ is increasingly being tested in court,”  Angela Ang, head of policy and strategic partnerships for Asia Pacific at TRM Labs, told Decrypt.

“Exploiting smart contract vulnerabilities may be technically possible, but that doesn’t mean that courts will view it as legally permissible—especially when paired with laundering and concealment,” she added. The indictment alleges Spalletta carried out a first attack on April 8, 2021, exploiting a rewards-tracking bug in Uranium’s smart contracts to repeatedly drain a liquidity pool of approximately $1.4 million.  Roughly two weeks later, he wrote to another individual, “I did a crypto heist of $1.5MM… There was a bug in a smart contract, and I exploited it… Crypto is all fake internet money anyway.” Authorities say he later returned most of the stolen funds after negotiating with the platform, but kept about $386,000 under what prosecutors describe as a sham “bug bounty” arrangement. On April 28, he allegedly exploited another flaw across 26 liquidity pools, obtaining about $53.3 million in crypto and leaving Uranium Finance unable to continue operating. Between April 2021 and November 2023, Spalletta allegedly funneled around $26 million through Tornado Cash, moving funds across multiple blockchains and wallets to obscure their origin.  Onchain sleuth ZachXBT had previously traced the laundering trail in a December 2023 report, identifying how stolen ETH was withdrawn from the mixer and routed through brokers to purchase high-value collectibles. The collectibles included rare Magic and Pokémon cards, a Julius Caesar-era coin, and a Wright brothers artifact later carried to the moon by Neil Armstrong, according to the indictment.

Last February, law enforcement also seized crypto worth about $31 million that authorities say was tied to the alleged scheme. When asked whether stricter auditing or insurance could have prevented the platform’s collapse, Ang said that “Stronger auditing and insurance mechanisms can reduce the likelihood and impact of exploits, but they’re not a silver bullet.”  Organizations need a “multi-layered defense,” including “regular security audits, secure coding practices, multi-signature controls, and a strong security culture, rather than relying on any single safeguard,” she added.