Federal prosecutors have finally caught up with one of the most significant DeFi hacks of 2021. Jonathan Spalletta, 36, of Rockville, Maryland, has been formally charged with computer fraud and money laundering in connection with two devastating attacks on the decentralized exchange Uranium Finance.
According to the U.S. Attorney's Office for the Southern District of New York, Spalletta allegedly orchestrated a sophisticated series of exploits that drained more than $50 million in cryptocurrency from the platform — effectively destroying it in the process.
The Two-Stage Attack
Investigators from the Complex Frauds and Cybercrime Unit reconstructed a precise modus operandi, carried out in two distinct phases during April 2021.
On April 8, Spalletta allegedly manipulated Uranium Finance's smart contract to withdraw far more cryptocurrency rewards than he was authorized to receive.
I pulled off a crypto heist for $1.5 million a couple of weeks ago... There was a bug in a smart contract and I exploited it... Crypto is just fake internet money anyway, he reportedly said.
This first exploit netted approximately $1.4 million. In a brazen follow-up, Spalletta allegedly extorted the exchange into letting him keep around $386,000 under the guise of a fraudulent "bug bounty" — in exchange for a promise not to cause further harm.
The main attack came on April 28, 2021. By exploiting a critical flaw in the smart contract governing withdrawal limits across liquidity pools, Spalletta drained 26 separate pools of assets worth an estimated $53.3 million. The loss was catastrophic enough to force Uranium Finance to shut down operations immediately and permanently.
Laundering and Lavish Spending
The stolen funds did not sit idle. Prosecutors allege that Spalletta deployed a complex laundering scheme to obscure the illicit origin of the money. Central to this strategy was the use of Tornado Cash, the crypto mixing service that has been the subject of extensive U.S. federal investigation and OFAC sanctions.
As alleged, Jonathan Spalletta repeatedly hacked smart contracts to steal millions of dollars of other people's money for his own benefit, destroying a crypto exchange in the process, declared U.S. Attorney Jay Clayton.
Once "cleaned," the proceeds were allegedly converted into tangible assets. Spalletta reportedly went on a spending spree, acquiring rare collectibles and ancient coins. His run ended in February 2025, when federal agents seized approximately $31 million in digital assets traced back to his wallets.
A Market Under Siege
Spalletta's arrest last Monday underscores the persistent vulnerabilities within the DeFi ecosystem. The 2025 figures are alarming: according to data from PeckShield, crypto-related theft exceeded $4 billion in 2025 — a 34% year-on-year increase. Smart contract exploits, exactly like those allegedly used by Spalletta, remain the primary attack vector for cybercriminals.
SPALLETTA, 36, of Rockville, Maryland, is charged with one count of computer fraud, which carries a maximum sentence of 10 years in prison; and one count of money laundering, which carries a maximum sentence of 20 years in prison, reads the DOJ press release.
#PeckShieldAlert 2025 has witnessed a record-breaking year for crypto-related theft, driven primarily by systemic vulnerabilities in centralized infrastructure and a strategic shift toward targeted social engineering.
— PeckShieldAlert (@PeckShieldAlert) January 13, 2026
The total loss in 2025 exceeded $4.04B, reflecting a ~34.2%… pic.twitter.com/PRlGDPOLH1
Spalletta now faces up to 30 years in federal prison. The case sends a sharp message to the broader crypto industry: while blockchain technology promises transparency, its immutable nature can become a double-edged sword when code harbors undetected vulnerabilities. U.S. law enforcement, through increasingly specialized cybercrime units, is demonstrating that on-chain anonymity is no longer a reliable shield for large-scale crypto fraud.
