U.S. prosecutors have charged a Maryland man with stealing greater than $53 million after hacking the Uranium Finance crypto change twice and laundering the proceeds via a cryptocurrency mixer.
36-year-old Jonathan Spalletta (identified on-line as “Cthulhon” and “Jspalletta”) appeared in court docket earlier than U.S. Justice of the Peace Choose Ona T. Wang after surrendering to regulation enforcement on Monday.
Spalletta hacked the decentralized cryptocurrency change Uranium (which operated as an automatic market maker much like Uniswap) in April 2021, forcing the corporate to close down on account of an absence of funds after stealing roughly $53.3 million value of cryptocurrency.
“As alleged, Jonathan Spalletta repeatedly hacked sensible contracts to steal hundreds of thousands of {dollars}’ value of different individuals’s cash for himself, and destroyed a cryptocurrency change within the course of,” stated U.S. Lawyer Jay Clayton.
“In describing his alleged ‘heist,’ Spalletta advised one other particular person’ Crypto is simply pretend web cash anyway.’ Stealing from a crypto change is stealing—the declare that ‘crypto is completely different’ doesn’t change that. For the victims, there may be nothing completely different about having your cash taken. Spalletta value actual victims actual losses of tens of hundreds of thousands of {dollars}, and now he is underneath actual arrest.”
In keeping with the unsealed indictment, the defendant carried out two separate assaults. In the course of the first breach, on April 8, Spalletta exploited a flaw in Uranium’s sensible contract code, abusing the AmountWithBonus variable to situation zero-token withdrawal instructions that compelled the change to pay rewards he was not entitled to obtain, draining the liquidity pool of roughly $1.4 million.
Spalletta then extorted Uranium into assigning practically $386,000 of the stolen funds as a sham “bug bounty” in change for returning the rest to the crypto-exchange.
Three weeks later, on April 28, he struck once more, exploiting a separate single-character coding error that prompted Uranium’s transaction-verification logic to make use of 1,000 as an alternative of 10,000.
This allowed Spalletta to withdraw practically 90% of the belongings held throughout 26 separate liquidity swimming pools whereas depositing successfully zero tokens, netting him roughly $53.3 million (the overwhelming majority of Uranium’s holdings) and forcing the crypto change to close down instantly.
Spalletta laundered the stolen crypto belongings throughout a number of decentralized exchanges via the Twister Money cryptocurrency mixer and spent the proceeds on a variety of things, together with a “Black Lotus” Magic: The Gathering card for roughly $500,000, 18 sealed packs of Alpha Booster Magic playing cards for round $1.5 million, a first-edition full Pokémon base set for roughly $750,000, and an historical Roman coin commemorating Julius Caesar’s assassination for over $601,000.
In February 2025, regulation enforcement seized the collectibles from his residence underneath a court-authorized search warrant and recovered roughly $31 million in cryptocurrency from wallets linked to Spalletta.
Spalletta now faces as much as 10 years in jail on a pc fraud depend and as much as 20 years if discovered responsible of cash laundering.
Automated pentesting proves the trail exists. BAS proves whether or not your controls cease it. Most groups run one with out the opposite.
This whitepaper maps six validation surfaces, reveals the place protection ends, and gives practitioners with three diagnostic questions for any software analysis.
