Uranium Finance Hack: Alleged Hacker Faces 30-Year Prison Term, $54M

US authorities have unsealed an indictment against a Maryland man accused of carrying out two separate hacks against Uranium Finance, a now-defunct DeFi platform that lost more than $54 million in April 2021. The case, brought by the U.S. Attorney’s Office for the Southern District of New York, contends that Jonathan Spalletta exploited smart contracts to siphon funds from Uranium Finance, prompting the project to shutter after it exhausted its liquidity.

Spalletta surrendered to authorities on Monday and faces criminal charges that prosecutors say reflect real-world consequences for crypto-enabled crime. In a statement, U.S. Attorney Jay Clayton underscored that crypto does not shield criminals from accountability, saying that “Stealing from a crypto exchange is stealing—the claim that crypto is different does not change that.” He added that victims suffered tens of millions in losses and that the case demonstrates that the law applies to digital assets just as it does to traditional financial crime.

Uranium Finance was a BNB Chain fork of Uniswap that launched in April 2021 during the market rally. After the second attack, the platform’s website was taken offline, leaving investors without clear answers about the status of funds. The case adds to a broader narrative about enforcement actions in the DeFi space, where smart-contract exploits have become a recurring threat.

According to authorities, Spalletta’s actions exploited weaknesses in Uranium Finance’s smart contracts. The early breach prompted a private settlement that resulted in the return of almost all stolen funds from the first attack, with about $386,000 remaining unrecovered.

Two breaches in the same month brought Uranium Finance to a halt. The first occurred on April 8, 2021, when a hacker withdrew far more rewards in cryptocurrency than they were authorized to receive. The second hack, occurring later in April, exploited an error in Uranium’s withdrawal-limit logic that governed 26 separate liquidity pools, allowing the attacker to siphon approximately $53.3 million in crypto, including BTC, ETH, and the platform’s native U92 token.

The U.S. Attorney’s Office notes that prosecutors recovered and reviewed material seized during the investigation, including items tied to the suspect’s residence. Prosecutors alleged that the stolen funds were later used to purchase collectibles, such as Pokémon cards, antique Roman coins, and even a fabric connected to the Wright brothers’ original airplane. These items were identified during a search conducted in connection with the case.

Earlier coverage noted that authorities had seized $31 million in cryptocurrency tied to the Uranium Finance hack in February 2022, though authorities did not disclose additional details at the time. Spalletta has been charged with one count of computer fraud and one count of money laundering, both carrying substantial potential penalties. He is scheduled to appear before a U.S. magistrate for arraignment and to receive formal charges.

The case sits within a broader landscape in which cybercrime watchdogs estimate that 2021 saw more than $2.6 billion in losses from hacks and exploits across crypto networks. The Solar Network-style scale of some breaches, such as the notable Poly Network incident in 2020, has intensified calls for clearer regulatory guardrails and stronger security standards in the DeFi ecosystem. As enforcement actions unfold, investors and developers alike are watching how prosecutors handle evidence, asset tracing, and recovery efforts in cases involving mixed digital-physical crime narratives.

For the industry, the Spalletta case underscores the continued risk inherent in DeFi protocols that rely on complex smart contracts. It also serves as a reminder that illicit activity connected to crypto can leave tangible, ongoing consequences for victims and communities, even when funds are eventually identified or recovered in part. Regulators and prosecutors are likely to scrutinize exploitation vectors, wallet tracing, and asset recovery strategies more closely as cases like this proceed.

Key takeaways

Indictment and charges: Jonathan Spalletta is charged with computer fraud and money laundering in connection with two Uranium Finance hacks, with potential decades-long sentences if convicted. He surrendered to authorities and is set to appear before a U.S. magistrate.

Scope of the breaches: Uranium Finance suffered two hacks in April 2021 that together depleted more than $54 million. The second attack alone targeted $53.3 million across 26 liquidity pools, including major assets such as BTC and ETH, as well as the platform’s U92 token.

First breach and settlement: The April 8 incident saw a hacker siphon rewards far beyond authorization, and a private settlement later returned all but roughly $386,000 of the stolen funds.

Post-hack seizures and proceeds: Authorities previously seized about $31 million tied to the Uranium Finance hack in 2022, with limited public detail at the time. Prosecutors say stolen assets showed up in various purchases, including collectibles and historical items.

Indictment and charges

The SDNY filing outlines two counts against Spalletta: computer fraud and money laundering. If convicted, those counts can carry significant prison time in addition to potential fines. The upcoming arraignment will determine the formal charges and next steps in the prosecution path. The case illustrates a broader trend where authorities treat crypto-enabled fraud with traditional prosecutorial rigor, insisting that crimes in the digital asset space have real-world legal consequences.

The Uranium Finance hacks in context

Uranium Finance emerged as a BNB Chain fork of Uniswap, entering the market amid a broader DeFi expansion in 2021. Its rapid ascent was overshadowed by a pair of high-profile incidents that raised questions about the resilience and governance of early DeFi projects. The second exploit, in particular, highlighted how vulnerabilities in withdrawal-limit logic can affect numerous pools and route large sums of user funds through compromised contracts. As these episodes unfolded, Uranium Finance ultimately shuttered, leaving investors with modest clarity about asset recovery and redress.

From a regulatory and enforcement perspective, the case adds momentum to efforts to establish clear accountability in DeFi, where automated protocols operate at the cross-section of finance and code. Critics have long argued that the lack of standardized security practices and custodial controls in DeFi creates a regulatory blind spot. Prosecutions like this one may push projects toward stronger security auditing, rigorous incident response planning, and more transparent disclosure practices to reduce risk for users and investors.

Looking ahead, market participants will be watching how prosecutors pursue asset recovery, how the defense frames the technicalities of smart-contract exploitation, and how these cases influence protocol design and governance models. The Spalletta indictment serves as a tangible signal that the line between digital and traditional crime is being policed with increasingly conventional legal tools—tools that carry real-world consequences for those who profit from exploiting decentralized finance systems.

As the investigation progresses, readers should monitor forthcoming court filings and any additional statements from the SDNY. The outcome could inform future enforcement priorities, guide risk assessment for DeFi protocols, and shape how investors evaluate security postures in a rapidly evolving crypto landscape.

This article was originally published as Uranium Finance Hack: Alleged Hacker Faces 30-Year Prison Term, $54M on Crypto Breaking News – your trusted source for crypto news, Bitcoin news, and blockchain updates.