Exploiter charged for $53.3M Uranium Finance smart contract heist via code flaws and mixer laundering

First reported

31.03.2026 12:15

Last updated

31.03.2026 18:30

2 unique sources, 2 articles

Summary

Hide ▲

A Maryland man, Jonathan Spalletta (aka "Cthulhon"), has been charged with orchestrating two smart contract heists against the Uranium Finance decentralized exchange (DEX) in April 2021, stealing approximately $53.3 million in cryptocurrency. The suspect surrendered to law enforcement and appeared in court, where prosecutors alleged he exploited code flaws in Uranium Finance's AMM contracts to drain the exchange's assets, forcing it into insolvency. Proceeds were laundered through Tornado Cash and partially spent on high-value collectibles before law enforcement recovered approximately $31 million in cryptocurrency and seized assets in February 2025. The first breach on April 8, 2021, involved manipulating the AmountWithBonus variable to issue unauthorized zero-token withdrawals, draining about $1.4 million, which he partially extorted back as a sham bug bounty. The second attack on April 28, 2021, exploited a single-character error in transaction-verification logic, allowing him to withdraw 90% of the DEX's assets across 26 liquidity pools while depositing negligible value.

Timeline

31.03.2026 12:15 2 articles · 1d ago

Uranium Finance smart contract heists in April 2021 linked to $53.3M theft and subsequent laundering
Prosecutors allege Jonathan Spalletta surrendered to law enforcement and appeared in court following charges related to the April 2021 attacks. Authorities reiterate that he exploited flaws in Uranium Finance's AMM smart contract code, including a rewards calculation flaw and a transaction-verification logic error, to drain $1.4 million in the first breach and nearly 90% of assets ($53.3 million) across 26 liquidity pools in the second breach. The exchange shut down due to insolvency. Proceeds were laundered via Tornado Cash and partially spent on rare collectibles, including trading cards and an ancient coin. In February 2025, law enforcement seized collectibles from Spalletta's residence and recovered approximately $31 million in cryptocurrency linked to the case. Prosecutorial statements emphasize the impact on the DEX and the legal consequences if convicted.
Show sources

Hacker charged with stealing $53 million from Uranium crypto exchange — www.bleepingcomputer.com — 31.03.2026 12:15

Maryland Man Charged Over $53m Uranium Finance Crypto Hack — www.infosecurity-magazine.com — 31.03.2026 18:30
Open in new tab

Information Snippets

Uranium Finance operated as a decentralized automated market maker (AMM) similar to Uniswap, enabling token swaps via smart contracts.
First reported: 31.03.2026 12:15

2 sources, 2 articles
Show sources
- Hacker charged with stealing $53 million from Uranium crypto exchange — www.bleepingcomputer.com — 31.03.2026 12:15
- Maryland Man Charged Over $53m Uranium Finance Crypto Hack — www.infosecurity-magazine.com — 31.03.2026 18:30
On April 8, 2021, Spalletta exploited a flaw in Uranium's smart contract code involving the AmountWithBonus variable to perform zero-token withdrawals, draining approximately $1.4 million from the exchange's liquidity pool.
First reported: 31.03.2026 12:15

2 sources, 2 articles
Show sources
- Hacker charged with stealing $53 million from Uranium crypto exchange — www.bleepingcomputer.com — 31.03.2026 12:15
- Maryland Man Charged Over $53m Uranium Finance Crypto Hack — www.infosecurity-magazine.com — 31.03.2026 18:30
Spalletta extorted Uranium Finance into assigning nearly $386,000 of stolen funds as a fraudulent "bug bounty" in exchange for returning the remaining portion of the $1.4 million.
First reported: 31.03.2026 12:15

2 sources, 2 articles
Show sources
- Hacker charged with stealing $53 million from Uranium crypto exchange — www.bleepingcomputer.com — 31.03.2026 12:15
- Maryland Man Charged Over $53m Uranium Finance Crypto Hack — www.infosecurity-magazine.com — 31.03.2026 18:30
On April 28, 2021, Spalletta exploited a single-character coding error in transaction-verification logic, causing the system to use 1,000 instead of 10,000 in a divisor, enabling unauthorized mass withdrawals.
First reported: 31.03.2026 12:15

2 sources, 2 articles
Show sources
- Hacker charged with stealing $53 million from Uranium crypto exchange — www.bleepingcomputer.com — 31.03.2026 12:15
- Maryland Man Charged Over $53m Uranium Finance Crypto Hack — www.infosecurity-magazine.com — 31.03.2026 18:30
The second attack allowed Spalletta to withdraw nearly 90% of the assets held across 26 liquidity pools while depositing effectively zero tokens, netting approximately $53.3 million and forcing Uranium Finance to shut down.
First reported: 31.03.2026 12:15

2 sources, 2 articles
Show sources
- Hacker charged with stealing $53 million from Uranium crypto exchange — www.bleepingcomputer.com — 31.03.2026 12:15
- Maryland Man Charged Over $53m Uranium Finance Crypto Hack — www.infosecurity-magazine.com — 31.03.2026 18:30
Spalletta laundered the stolen cryptocurrency through Tornado Cash before spending it on collectibles including a "Black Lotus" Magic: The Gathering card for $500,000, sealed Alpha Booster packs for $1.5 million, a first-edition complete Pokémon Base Set for $750,000, and a Julius Caesar assassination coin for over $601,000.
First reported: 31.03.2026 12:15

2 sources, 2 articles
Show sources
- Hacker charged with stealing $53 million from Uranium crypto exchange — www.bleepingcomputer.com — 31.03.2026 12:15
- Maryland Man Charged Over $53m Uranium Finance Crypto Hack — www.infosecurity-magazine.com — 31.03.2026 18:30
In February 2025, law enforcement executed a court-authorized search warrant at Spalletta’s residence, seizing the collectibles and recovering approximately $31 million in cryptocurrency linked to him.
First reported: 31.03.2026 12:15

2 sources, 2 articles
Show sources
- Hacker charged with stealing $53 million from Uranium crypto exchange — www.bleepingcomputer.com — 31.03.2026 12:15
- Maryland Man Charged Over $53m Uranium Finance Crypto Hack — www.infosecurity-magazine.com — 31.03.2026 18:30
Spalletta faces up to 10 years in prison for computer fraud and up to 20 years for money laundering if convicted.
First reported: 31.03.2026 12:15

2 sources, 2 articles
Show sources
- Hacker charged with stealing $53 million from Uranium crypto exchange — www.bleepingcomputer.com — 31.03.2026 12:15
- Maryland Man Charged Over $53m Uranium Finance Crypto Hack — www.infosecurity-magazine.com — 31.03.2026 18:30
Jonathan Spalletta surrendered to law enforcement and appeared in court following the charges.
First reported: 31.03.2026 18:30

1 source, 1 article
Show sources
- Maryland Man Charged Over $53m Uranium Finance Crypto Hack — www.infosecurity-magazine.com — 31.03.2026 18:30

Similar Happenings

DeFi Exploit Drains $9 Million from Yearn Finance

A critical exploit targeting Yearn Finance's yETH pool on Ethereum has resulted in the theft of approximately $9 million. The attack abused a flaw in the protocol's internal accounting, where a cache containing calculated values to save on gas fees was never cleared when the pool was emptied. The attacker minted an astronomical number of tokens—235 septillion yETH—while depositing only 16 wei, worth approximately $0.000000000000000045. This represents one of the most capital-efficient exploits in DeFi history. The exploit highlights the risks associated with gas optimization techniques in DeFi protocols and the potential for significant financial losses due to unaddressed vulnerabilities.

Open in new tab

Summary

Timeline

Uranium Finance smart contract heists in April 2021 linked to $53.3M theft and subsequent laundering

Information Snippets

Similar Happenings

DeFi Exploit Drains $9 Million from Yearn Finance