US authorities have charged Jonathan Spalletta, 36, of Rockville, Maryland, with hacking Uranium Finance and prompting its shutdown after exploiting smart contract vulnerabilities on two occasions in 2021. The indictment alleges the first incident on 8 April 2021 saw him withdraw about $1.4 million, then extort Uranium to keep roughly $386,000 as a fake bug bounty while returning around $1 million.
A second attack on 28 April 2021 allowed him to steal approximately $53.3 million across 26 Uranium liquidity pools, effectively draining the exchange. Prosecutors say he laundered the proceeds through multiple crypto transactions, including the Tornado Cash mixer, which the US had sanctioned in 2022 before lifting those sanctions in March last year.
Spalletta was charged with computer fraud and money laundering, facing potential penalties of up to 10 years in prison for fraud and 20 years for money laundering if found guilty.