US prosecutors have charged a Maryland man with stealing more than $53 million after hacking crypto exchange Uranium Finance twice and defrauding the proceeds of a cryptocurrency mixer.
Jonathan Spalletta, 36, (known online as “Cthulhon” and “Jspalletta”) appeared in court before US Magistrate Ona T. Wang after surrendering to law enforcement on Monday.
Spalletta hacked cryptocurrency exchange Uranium (which operated as an automated market maker similar to Uniswap) in April 2021, forcing the company to shut down due to cash shortages after stealing an estimated $53.3 million.
“As alleged, Jonathan Spalletta repeatedly hacked smart contracts to steal millions of dollars worth of other people’s money, and destroyed cryptocurrency exchanges in the process,” said US Attorney Jay Clayton.
“When explaining the alleged ‘fraudster,’ Spalletta told another person that ‘Crypto is a fake internet currency anyway.’ Stealing from the crypto market is stealing—the claim that ‘crypto is different’ doesn’t change that. For victims, there is nothing different about taking your money. Spalletta called the real victims the real loss of tens of millions of dollars, and now he is actually in jail. “
According to the unsealed case, the defendant committed two separate incidents. During the first breach, on April 8, Spalletta exploited a bug in Uranium’s smart contract code, abusing the AmountWithBonus variable to issue zero-token withdrawal orders that forced the exchange to pay rewards it wasn’t entitled to, wiping out an estimated $1.4 million in cash.
Spalletta then outsourced Uranium to hand over nearly $386,000 of the stolen funds as bogus “bug profits” to return the rest to the crypto-exchange.
Three weeks later, on April 28, he struck again, using a different single-character coding error that caused the Uranium transaction verification logic to use 1,000 instead of 10,000.
This allowed Spalletta to withdraw almost 90% of the assets held in all 26 different liquidity pools while depositing zero tokens, earning him about 53.3 million dollars (a staggering amount for Uranium Holdings) and forcing the crypto exchange to be shut down immediately.
Spalletta stole the stolen crypto assets from multiple cryptocurrency exchanges using the Tornado Cash cryptocurrency mixer and used the proceeds on various items, including “Black Lotus” Magic: A Collector’s Card worth approximately $500,000, 18 sealed packs of Alpha Booster Magic cards for an estimated $1-5 million with an initial base of up to Pokémon, $750,000, and an ancient coin of Rome commemorating the assassination of Julius Caesar for over $601,000.
In February 2025, law enforcement seized collections from his residence under a court-authorized search warrant and found approximately $31 million in cryptocurrency in wallets linked to Spalletta.
Spalletta now faces 10 years in prison on the computer fraud charge and up to 20 years on the money laundering charge.
Automatic logging proves that the path exists. BAS proves that your controls are stopping you. Many teams run without each other.
This white paper outlines six areas of validation, indicates where coverage ends, and provides clinicians with three diagnostic questions for any screening tool.
