A Maryland man has been charged with carrying out the 2021 attacks that drained more than $50 million from the Uranium Finance decentralized exchange and forced the platform to shut down, the US Department of Justice said on Monday.
Jonathan Spalletta, 36, of Rockville, Maryland, faces one count of computer fraud and one count of money laundering, according to an indictment unsealed by the Southern District of New York. The charges follow a February 2025 seizure of approximately $31 million in cryptocurrency linked to the exploit, linking a years-old DeFi case to a named defendant for the first time.
The attack on Uranium Finance emptied key funds linked to BNB, BUSD and other assets and left Uranium unable to continue trading.
Prosecutors allege that Spalletta first exploited the uranium bounty mechanism on April 8, 2021, draining approximately $1.4 million before negotiating what authorities describe as a bogus “bug bounty” that allowed him to keep about $386,000.
He later wrote to an associate: “I did a cryptocurrency theft… Anyway, cryptocurrency is fake Internet money,” according to the indictment.
Authorities allege that Spalletta laundered the proceeds through a series of transactions, including using the Tornado Cash cryptocurrency mixer, before spending the funds on high-end collectibles.
Those purchases, according to the indictment, included a Black Lotus Magic: The Gathering card for about $500,000, 18 sealed Alpha booster packs for about $1.5 million, first edition Pokémon sets worth more than $1 million, and a Roman “Eid Mar” coin commemorating the assassination of Julius Caesar for about $601,500.
Spalletta turned himself in on Monday and is expected to appear before a U.S. judge in Manhattan.
