A Maryland resident has been charged with multiple felonies following two high-profile exploits that targeted Uranium Finance in 2021, resulting in losses exceeding $50 million and ultimately forcing the decentralized exchange to shut down. The U.S. Department of Justice announced that Jonathan Spalletta, a 36-year-old from Rockville, faces counts of computer fraud and money laundering after authorities linked him to the attacks on the platform’s smart contracts.
Alleged exploits and their consequences for Uranium Finance
Uranium Finance operated as a decentralized exchange on the Binance Smart Chain, offering automated token swaps and liquidity pools. Launched in 2021, Uranium Finance grew rapidly by providing decentralized trading, but its reliance on smart contracts also exposed it to potential vulnerabilities.
The investigation revealed that on April 8, 2021, Spalletta executed a series of deceptive blockchain transactions that abused Uranium Finance’s smart contract system. This initial incident enabled him to extract approximately $1.4 million in cryptocurrency by bypassing transaction limits. Communications showed Spalletta boasting about exploiting a bug to siphon funds, referring to his actions as a “crypto heist.” He subsequently persuaded the exchange to let him keep over $386,000, labeling it a “bug bounty” to avoid further action.
Just weeks later, on April 28, a second exploit struck. Spalletta is accused of targeting a vulnerability in the contract governing user withdrawals, which allowed him to drain almost $53.3 million from 26 liquidity pools. The magnitude of the theft led Uranium Finance to discontinue all operations, dealing a heavy blow to the platform and its users.
Legal proceedings and rising smart contract risks
Prosecutors allege that Spalletta laundered the stolen funds through a network of cryptocurrency transactions, including the use of Tornado Cash, a well-known crypto mixer. He reportedly spent significant sums on rare collectibles and antique coins.
Federal investigators recovered about $31 million of the stolen assets in February 2025. Spalletta surrendered to authorities and is now facing a maximum sentence of 30 years in prison if convicted on both charges. The case is being managed by the Complex Frauds and Cybercrime Unit in New York.
“I did a crypto heist of $1.5MM a couple of weeks ago . . . There was a bug in a smart contract, and I exploited it . . . Crypto is all fake internet money anyway.”
US Attorney Jay Clayton emphasized that Spalletta is accused of repeatedly exploiting vulnerabilities in smart contracts to steal millions and bringing down a cryptocurrency exchange in the process.
The federal press release detailed that Spalletta faces one count of computer fraud with up to 10 years in prison, and one count of money laundering, which carries a potential 20-year maximum.
Uranium Finance’s collapse highlights ongoing vulnerabilities in the decentralized finance sector. Recent data from PeckShield indicated that crypto-related exploits caused losses over $4 billion in 2025, representing a 34% rise over the previous year. Issues within smart contracts contributed significantly to these losses, reflecting growing concerns as decentralized platforms continue to expand.
