US Charges Uranium Crypto Exchange Hacker

Summary

Jonathan Spalletta, 36, of Rockville, Maryland, was charged with hacking decentralized cryptocurrency exchange Uranium Finance by exploiting smart contract vulnerabilities in two separate incidents in April 2021. The attacks resulted in the theft of approximately $55 million in cryptocurrency, effectively forcing the exchange to shut down. Spalletta laundered the stolen funds through Tornado Cash and converted them into collectible items; law enforcement seized approximately $31 million in cryptocurrency in February 2024.

Full text

A US national was charged with hacking the decentralized cryptocurrency exchange Uranium Finance and causing it to shut down. The individual, Jonathan Spalletta, 36, of Rockville, Maryland, allegedly exploited smart contract vulnerabilities at Uranium twice in 2021 to drain large amounts of cryptocurrency in one of the largest decentralized finance (DeFi) cyber incidents at the time. The first hack occurred on April 8, 2021, when Spalletta exploited the protocol’s reward distribution system to withdraw roughly $1.4 million in funds, the indictment alleges. Subsequently, he extorted Uranium to allow him to keep approximately $386,000 of the funds as a fake bug bounty reward and returned roughly $1 million to the crypto exchange. On April 28, Spalletta exploited another smart contract vulnerability in Uranium to withdraw more funds than he should have been allowed to. The bug allowed him to steal approximately $53.3 million in cryptocurrency across 26 Uranium liquidity pools, effectively draining the exchange and causing it to shut down.Advertisement. Scroll to continue reading. According to the indictment, Spalletta laundered the funds through a series of cryptocurrency transactions, including using the crypto mixer Tornado Cash. The US sanctioned the mixer in 2022 for being a hub for laundering stolen funds, but lifted the sanctions in March last year. Spalletta used the laundered money to purchase collectible items, such as Magic Cards, Pokémon Cards, and antique Roman coins, collectively worth millions. In February last year, US law enforcement announced the seizure of approximately $31 million in cryptocurrency that Spalletta had fraudulently obtained from Uranium. The funds had been converted into various virtual currencies and stored in dormant wallets for roughly three years before being moved again in 2024. Spalletta, who surrendered himself, was charged with computer fraud and money laundering. If found guilty, he could be sentenced to 10 years in prison for fraud and 20 years in prison for money laundering. Related: Alleged RedLine Malware Administrator Extradited to US Related: Russian Cybercriminal Gets 2-Year Prison Sentence in US Related: US Shuts Down Crypto Exchange E-Note, Charges Russian Administrator Related: DeFi Protocol Balancer Starts Recovering Funds Stolen in $128 Million Heist Written By Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. More from Ionut Arghire TeamPCP Moves From OSS to AWS EnvironmentsCrewAI Vulnerabilities Expose Devices to HackingExploitation of Critical Fortinet FortiClient EMS Flaw BeginsStrongSwan Flaw Allows Unauthenticated Attackers to Crash VPNsLloyds Data Security Incident Impacts 450,000 IndividualsHuskeys Emerges From Stealth With $8 Million in FundingRussian APT Star Blizzard Adopts DarkSword iOS Exploit KitTelnyx Targeted in Growing TeamPCP Supply Chain Attack Latest News FBI Warns of Data Security Risks From China-Made Mobile AppsWebinar Today: Agentic AI vs. Identity’s Last Mile ProblemAxios NPM Package Breached in North Korean Supply Chain AttackGoogle Addresses Vertex Security Issues After Researchers Weaponize AI AgentsCensys Raises $70 Million for Internet Intelligence PlatformThe Next Cybersecurity Crisis Isn’t Breaches—It’s Data You Can’t TrustStolen Logins Are Fueling Everything From Ransomware to Nation-State CyberattacksVenom Stealer Raises Stakes With Continuous Credential Harvesting Trending Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Securing Fragile OT in an Exposed World March 10, 2026 Get a candid look at the current OT threat landscape as we move past "doom and gloom" to discuss the mechanics of modern OT exposure. Register Webinar: Why Automated Pentesting Alone Is Not Enough April 7, 2026 Join our live diagnostic session to expose hidden coverage gaps and shift from flawed tool-level evaluations to a comprehensive, program-level validation discipline. Register People on the MoveModerna has promoted Farzan Karimi to Deputy Chief Information Security Officer.Brian Goldfarb has been appointed Chief Marketing Officer at SentinelOne.Token has appointed Katy Nelson as Chief Revenue Officer.More People On The MoveExpert Insights The Next Cybersecurity Crisis Isn’t Breaches—It’s Data You Can’t Trust Data integrity shouldn’t be seen only through the prism of a technical concern but also as a leadership issue. (Steve Durbin) Why Agentic AI Systems Need Better Governance – Lessons from OpenClaw Agentic AI platforms are shifting from passive recommendation tools to autonomous action-takers with real system access, (Etay Maor) The Human IOC: Why Security Professionals Struggle with Social Vetting Applying SOC-level rigor to the rumors, politics, and 'human intel' can make or break a security team. (Joshua Goldfarb) How to 10x Your Vulnerability Management Program in the Agentic Era The evolution of vulnerability management in the agentic era is characterized by continuous telemetry, contextual prioritization and the ultimate goal of agentic remediation. (Nadir Izrael) SIM Swaps Expose a Critical Flaw in Identity Security SIM swap attacks exploit misplaced trust in phone numbers and human processes to bypass authentication controls and seize high-value accounts. (Torsten George) Flipboard Reddit Whatsapp Whatsapp Email

Indicators of Compromise

• malware — Tornado Cash