NEW YORK—A Maryland man surrendered to authorities on March 30, 2026, facing decades in prison for allegedly hacking the Uranium Finance decentralized exchange and stealing over $54 million. Prosecutors claim he spent the stolen cryptocurrency on an unusual array of collectibles, including rare Pokémon cards and a fragment of the Wright brothers’ airplane.
Uranium Finance Hack Leads to Major Indictment
Federal prosecutors in Manhattan have unsealed a detailed indictment against Jonathan Spalletta. The U.S. Attorney’s Office for the Southern District of New York accuses him of executing two sophisticated smart contract exploits against Uranium Finance in April 2021. These attacks drained the platform’s funds and forced it to shut down.
Also read: SEC Enforcement Chief Exit Sparks Senate Fury Over Dropped Justin Sun Fraud Case
“Stealing from a crypto exchange is stealing,” said U.S. Attorney Jay Clayton in a statement. “Spalletta cost real victims real losses of tens of millions of dollars, and now he’s under real arrest.” The case highlights the increasing focus of U.S. law enforcement on complex cryptocurrency crimes, even years after the incidents occur.
The Two Exploits That Killed an Exchange
Uranium Finance was a new project, a fork of the Uniswap protocol on the BNB Chain. Its lifespan was brutally short. According to court documents, the first attack hit on April 8, 2021, just days after launch. A flaw in a smart contract let an attacker withdraw excessive rewards. This theft totaled about $1.4 million.
Also read: Crypto 401(k) Rule Change: US Labor Department Proposes Historic Shift for Retirement Savings
The platform reportedly negotiated with the hacker, recovering most of the funds. But a second, far larger strike followed on April 28. This time, the exploit targeted a withdrawal limit error across 26 different liquidity pools. The result was a loss of $53.3 million in Bitcoin (BTC), Ether (ETH), and the platform’s native U92 tokens. The double blow was fatal. Uranium Finance’s website went dark, leaving users with few answers.
A Trail of Unusual Purchases
Authorities traced the movement of the stolen assets. Their investigation led to Spalletta’s residence, where federal agents executed a search warrant. What they seized was not just cryptocurrency. Prosecutors allege Spalletta converted digital proceeds into physical collectibles.
The list of seized items is eclectic:
- High-value Pokémon trading cards
- Antique Roman coins
- A piece of fabric from the original 1903 Wright Flyer airplane
This spending pattern suggests an attempt to move value from traceable blockchain ledgers into opaque physical assets. It’s a method law enforcement is seeing more often. “The purchase of rare, high-value tangibles is a classic step in laundering schemes,” noted a former federal investigator familiar with crypto cases. “They act as a store of value that’s harder to freeze or track.”
Charges and Potential Penalties
Spalletta faces severe federal charges. The indictment includes one count of computer fraud, which carries a maximum sentence of 10 years. He also faces one count of money laundering, with a potential 20-year term. Combined, he is looking at a theoretical maximum of 30 years behind bars.
This case is part of a broader recovery effort. In February 2025, the U.S. government seized approximately $31 million in cryptocurrency linked to the hack. That action, conducted quietly, represented a major clawback of stolen funds. The recent indictment and arrest bring the human element of the scheme to the forefront.
Context of the 2021 DeFi Hack Wave
The Uranium Finance heist was not an isolated event. 2021 was a record year for crypto exploits. According to data from blockchain security firm Chainalysis, hackers stole more than $2.6 billion that year from decentralized finance protocols and exchanges.
The scale of some attacks was staggering. For instance, the Poly Network suffered a $610 million breach in August 2021. In a unusual twist, the hacker later returned almost all the funds. The Uranium Finance case followed a more traditional criminal pattern. The 2021 environment, characterized by rapid protocol deployment and intense market speculation, created fertile ground for attackers hunting for smart contract vulnerabilities.
The Legal Precedent Being Set
This prosecution sends a clear signal. The Department of Justice is pursuing DeFi hacks with the same vigor as traditional bank robberies. The multi-year investigation demonstrates that blockchain transactions create a permanent, auditable trail. Time is not a shield.
“The message is that you can run, but the ledger doesn’t forget,” said a cybersecurity legal analyst. “An exploit in 2021 can lead to an arrest in 2026. The slow, meticulous work of following the money still applies, even in crypto.” The use of money laundering charges is particularly significant. It allows prosecutors to target not just the initial theft, but the entire process of concealing the proceeds.
Conclusion
The case against the alleged Uranium Finance hacker marks a central moment in the intersection of decentralized finance and federal law. Jonathan Spalletta faces the possibility of 30 years in prison for a series of smart contract exploits that netted over $54 million. The unusual details—funds converted into Pokémon cards and historical artifacts—underscore the novel challenges of crypto-related crime. For the victims of the Uranium Finance hack, the indictment offers a long-awaited measure of accountability. For the wider DeFi industry, it serves as a stark reminder that code-based theft is still theft in the eyes of the law.
FAQs
Q1: What was Uranium Finance?
Uranium Finance was a decentralized exchange, or automated market maker, built on the BNB Chain. It was a fork of the popular Uniswap protocol and launched in April 2021. It shut down permanently after being hacked twice in the same month.
Q2: How did the hacker steal the funds?
Prosecutors allege the hacker exploited errors in Uranium Finance’s smart contracts. The first exploit manipulated reward distribution. The second, larger attack bypassed withdrawal limits across multiple liquidity pools, allowing the thief to drain funds directly.
Q3: What are the specific charges?
Jonathan Spalletta is charged with one count of computer fraud (max 10 years) and one count of money laundering (max 20 years). The charges were filed in the U.S. District Court for the Southern District of New York.
Q4: Were any funds recovered?
Yes. In February 2025, U.S. authorities seized about $31 million in cryptocurrency connected to the hack. The recent indictment also mentions the seizure of physical collectibles allegedly bought with the stolen money.
Q5: Why is this case significant for DeFi?
This case demonstrates that U.S. law enforcement will investigate and prosecute major DeFi exploits, even years later. It establishes that stealing cryptocurrency through smart contract manipulation constitutes federal computer fraud and can lead to severe prison sentences.
This article was produced with AI assistance and reviewed by our editorial team for accuracy and quality.
Be the first to comment