A U.S. citizen has been formally charged for allegedly breaching the decentralized cryptocurrency platform Uranium Finance, forcing it to cease operations. The accused, Jonathan Spalletta, aged 36 from Rockville, Maryland, reportedly took advantage of vulnerabilities in the platform’s smart contracts on two occasions in 2021, resulting in one of the most significant decentralized finance (DeFi) cyber incidents at that time.
Details of the Alleged Incidents
The first breach, according to the indictment, took place on April 8, 2021. Spalletta is accused of manipulating the platform’s reward distribution mechanism to siphon off approximately $1.4 million. Following this, he purportedly threatened Uranium into allowing him to keep around $386,000 under the guise of a bug bounty, while returning about $1 million to the exchange.
Later in the same month, on April 28, Spalletta allegedly exploited another flaw within Uranium’s smart contract infrastructure, enabling him to withdraw excessive funds unlawfully. This second exploit reportedly allowed him to drain nearly $53.3 million in cryptocurrency from 26 different liquidity pools, leading to the exchange’s shutdown.
Money Laundering and Asset Purchases
The indictment further details how Spalletta allegedly laundered the stolen assets through multiple cryptocurrency transactions. One of the methods involved using Tornado Cash, a crypto mixer that was sanctioned by the U.S. in 2022 due to its role in laundering illicit funds, although the sanctions were subsequently lifted in March of the previous year.
Spalletta is said to have converted the laundered funds into various virtual currencies and splurged on collectible items, including Magic Cards, Pokémon Cards, and ancient Roman coins, which amassed a value in the millions.
Law Enforcement Actions and Legal Proceedings
In February of the prior year, U.S. authorities announced the recovery of approximately $31 million worth of cryptocurrency that Spalletta had allegedly obtained through fraudulent means from Uranium. These funds had been stored in inactive wallets for nearly three years before being moved once more in 2024.
Following his surrender, Spalletta has been charged with computer fraud and money laundering. If he is convicted, he could face up to 10 years in prison for the fraud charge and a potential 20-year sentence for money laundering.
This case highlights the ongoing challenges within the DeFi space, emphasizing the need for enhanced security measures to prevent similar incidents in the future.
