U.S. authorities have charged Jonathan Spalletta with exploiting smart contract vulnerabilities at decentralized exchange Uranium Finance, leading to a $53 million theft that collapsed the platform. Prosecutors allege he later laundered funds through mixers and purchased high-value collectibles. An expert notes the case challenges the notion that “code is law,” showing courts are scrutinizing the legality of such exploits.
A Maryland man faces charges for allegedly draining over $53 million from Uranium Finance through two smart contract exploits in 2021. Federal prosecutors stated that Jonathan Spalletta carried out the attacks, which left the decentralized exchange unable to operate.
The first alleged attack in April 2021 exploited a bug to drain approximately $1.4 million. Spalletta later wrote to an individual, “I did a crypto heist of $1.5MM… Crypto is all fake internet money anyway,” according to the indictment.
After the initial incident, he returned most funds but kept about $386,000 under what authorities call a sham “bug bounty.” Weeks later, he allegedly exploited another flaw across 26 liquidity pools, obtaining about $53.3 million in cryptocurrency.
Authorities say Spalletta laundered around $26 million through Tornado Cash between 2021 and 2023. The funds were used to purchase rare collectibles, including Magic cards and a Wright brothers artifact, as detailed in court documents.
Last year, law enforcement seized approximately $31 million in crypto linked to the case. U.S. Attorney Damian Williams emphasized that “Stealing from a crypto exchange is stealing—the claim that ‘crypto is different’ does not change that.”
Angela Ang of TRM Labs noted the case tests the legal boundaries of smart contract exploits. “Exploiting smart contract vulnerabilities may be technically possible, but that doesn’t mean that courts will view it as legally permissible,” she said.
