Hacker charged with stealing $53 million from Uranium crypto exchange

Summary

U.S. prosecutors charged 36-year-old Jonathan Spalletta with stealing $53.3 million from the Uranium Finance decentralized exchange through two separate smart contract exploits in April 2021. Spalletta exploited coding flaws to drain liquidity pools, then laundered the proceeds through Tornado Cash mixer and spent millions on collectibles. Law enforcement recovered ~$31 million in crypto and physical assets; Spalletta faces up to 20 years in prison on money laundering charges.

Full text

Hacker charged with stealing $53 million from Uranium crypto exchange By Sergiu Gatlan March 31, 2026 05:15 AM 0 U.S. prosecutors have charged a Maryland man with stealing more than $53 million after hacking the Uranium Finance crypto exchange twice and laundering the proceeds through a cryptocurrency mixer. 36-year-old Jonathan Spalletta (known online as "Cthulhon" and "Jspalletta") appeared in court before U.S. Magistrate Judge Ona T. Wang after surrendering to law enforcement on Monday. Spalletta hacked the decentralized cryptocurrency exchange Uranium (which operated as an automated market maker similar to Uniswap) in April 2021, forcing the company to shut down due to a lack of funds after stealing approximately $53.3 million worth of cryptocurrency. "As alleged, Jonathan Spalletta repeatedly hacked smart contracts to steal millions of dollars' worth of other people's money for himself, and destroyed a cryptocurrency exchange in the process," said U.S. Attorney Jay Clayton. "In describing his alleged 'heist,' Spalletta told another individual' Crypto is just fake internet money anyway.' Stealing from a crypto exchange is stealing—the claim that 'crypto is different' does not change that. For the victims, there is nothing different about having your money taken. Spalletta cost real victims real losses of tens of millions of dollars, and now he's under real arrest." According to the unsealed indictment, the defendant carried out two separate attacks. During the first breach, on April 8, Spalletta exploited a flaw in Uranium's smart contract code, abusing the AmountWithBonus variable to issue zero-token withdrawal commands that forced the exchange to pay rewards he was not entitled to receive, draining the liquidity pool of approximately $1.4 million. Tracing stolen Uranium Finance funds (TRM Labs) Spalletta then extorted Uranium into assigning nearly $386,000 of the stolen funds as a sham "bug bounty" in exchange for returning the remainder to the crypto-exchange. Three weeks later, on April 28, he struck again, exploiting a separate single-character coding error that caused Uranium's transaction-verification logic to use 1,000 instead of 10,000. This allowed Spalletta to withdraw nearly 90% of the assets held across 26 separate liquidity pools while depositing effectively zero tokens, netting him approximately $53.3 million (the overwhelming majority of Uranium's holdings) and forcing the crypto exchange to shut down immediately. Spalletta laundered the stolen crypto assets across multiple decentralized exchanges through the Tornado Cash cryptocurrency mixer and spent the proceeds on a wide range of items, including a "Black Lotus" Magic: The Gathering card for approximately $500,000, 18 sealed packs of Alpha Booster Magic cards for around $1.5 million, a first-edition complete Pokémon base set for roughly $750,000, and an ancient Roman coin commemorating Julius Caesar's assassination for over $601,000. In February 2025, law enforcement seized the collectibles from his residence under a court-authorized search warrant and recovered approximately $31 million in cryptocurrency from wallets linked to Spalletta. Spalletta now faces up to 10 years in prison on a computer fraud count and up to 20 years if found guilty of money laundering. Automated Pentesting Covers Only 1 of 6 Surfaces. Automated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the other.This whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic questions for any tool evaluation. Get Your Copy Now Related Articles: New DarkSword iOS exploit used in infostealer attack on iPhonesBitrefill blames North Korean Lazarus group for cyberattackNordstrom's email system abused to send crypto scams to customersNew BeatBanker Android malware poses as Starlink app to hijack devicesAppsFlyer Web SDK hijacked to spread crypto-stealing JavaScript code

Indicators of Compromise

• malware — Tornado Cash