US authorities unsealed an indictment on March 30, 2026, charging Jonathan Spalletta, a 36-year-old from Rockville, Maryland, with exploiting vulnerabilities in Uranium Finance, a decentralized exchange (DeFi) on BNB Chain, resulting in $54 million stolen in April 2021. The case revives a long-dormant investigation after a $31 million cryptocurrency seizure in early 2025. Prosecutors from the Southern District of New York (SDNY) describe two distinct attacks that led to the platform’s collapse due to drained liquidity.
Spalletta, also known online as “Cthulhon” and “Jspalletta,” surrendered to authorities following the charges. He faces one count of computer fraud (up to 10 years) and one count of money laundering (up to 20 years), totaling a potential 30-year sentence. The US Attorney’s Office emphasized blockchain analytics’ role in tracing funds across mixers and exchanges.
Details of the Exploits
The first attack occurred between April 6-8, 2021, where attackers abused Uranium Finance’s reward distribution system, draining about $1.4 million in tokens; roughly $1 million was later returned. A larger second exploit on April 28, 2021, targeted a coding error in 26 liquidity pools, siphoning $53.3 million. These smart contract flaws allowed unauthorized withdrawals, crippling the yield farming protocol.
Uranium Finance, a Binance Smart Chain-based DeFi platform, shuttered post-hack after exhausting reserves. Investigators used tools from firms like TRM Labs and Chainalysis to follow the trail, linking on-chain activity to Spalletta via KYC data from exchanges. Stolen funds funded purchases of high-value items like Pokémon cards and Roman coins.
Investigation and Seizure
The case gained traction in February 2025 when SDNY and Homeland Security Investigations (HSI) San Diego seized $31 million in crypto tied to the hacks, aided by blockchain intelligence. This recovery disrupted illicit flows nearly four years later, highlighting law enforcement’s improving capabilities in crypto tracing. The FBI and DOJ collaborated, analyzing multi-chain transactions and mixer usage.
No official statement from Uranium Finance appears in records, as the project ceased operations. Spalletta’s indictment summary details deliberate exploitation, not random errors. Federal filings stress the systematic breach across multiple accounts.
Legal Charges and Statements
Key Charges:
- Computer fraud: Intentional unauthorized access and damage to protected systems.
- Money laundering: Concealing proceeds via mixers, exchanges, and asset conversions.
SDNY U.S. Attorney Damian Williams stated: “This indictment demonstrates our commitment to holding accountable those who exploit DeFi vulnerabilities for profit.” The charges signal maturing U.S. responses to blockchain crimes, per DOJ releases. Maximum penalties underscore severity, though sentencing depends on plea or trial outcomes.
Spalletta’s legal team has not commented publicly. Court documents remain sealed on some details, but unsealed portions affirm evidence sufficiency. Arraignment follows surrender.
Broader Implications for DeFi
This prosecution marks a milestone in crypto enforcement, reviving a 2021 case via asset recovery. It exposes persistent DeFi risks like smart contract bugs, urging audits and bug bounties. Regulators may cite it in pushing KYC for platforms.
DeFi Hack Comparison Table
Industry experts note rising blockchain forensics efficacy, deterring exploits. Uranium’s fall underscores liquidity risks in yield platforms.
Victim and Ecosystem Impact
Users lost millions in BEP-20 tokens; the protocol’s reward system incentivized farming before collapse. No victim restitution details yet, but seizures offer hope. DeFi TVL dipped post-hack, per 2021 data.