Uranium hack case revives DeFi reckoning

Federal prosecutors have charged a Maryland man with carrying out two 2021 attacks on Uranium Finance that drained more than $53 million from the decentralised crypto exchange, a case that is drawing fresh attention to long-running weaknesses in decentralised finance and to the growing ability of authorities to follow money through blockchain networks.

The accused, Jonathan Spalletta, 36, of Rockville, Maryland, surrendered on March 30 after an indictment was unsealed in the Southern District of New York. Prosecutors allege that he used flaws in Uranium Finance’s smart contracts to extract about $1.4 million in a first attack on April 8, 2021, then struck again on April 28, obtaining roughly $53.3 million across 26 liquidity pools. The larger exploit, according to the indictment, left the platform without enough funds to continue operating.

U. S. authorities have charged him with one count of computer fraud and one count of money laundering. If convicted, he faces a maximum sentence of 10 years on the fraud charge and 20 years on the laundering charge, though any sentence would be determined by a judge. The case has been assigned to U. S. District Judge Jed S. Rakoff, while Spalletta first appeared before Magistrate Judge Ona T. Wang.

Prosecutors say the case goes beyond a technical exploit and amounts to a straightforward theft operation dressed in the language of crypto experimentation. The indictment alleges that after the first hack, most of the funds were returned, but that Spalletta kept about $386,000 under what prosecutors described as a sham bug bounty arrangement. In the second incident, they say he exploited an error in the contract’s withdrawal logic, allowing him to take vastly more tokens than he was entitled to receive.

The laundering allegations are central to the prosecution. Court papers and follow-up reporting say the stolen proceeds were moved through Tornado Cash and other decentralised services, then routed across wallets and blockchains in an effort to hide their origin. Authorities and blockchain investigators were nevertheless able to trace a significant share of the funds, leading to the seizure of about $31 million in cryptocurrency in February 2025, nearly four years after the attacks.

What makes the case notable is not only the scale of the alleged theft but also the passage of time. DeFi’s boom years created an assumption in some corners of the market that code flaws existed in a grey zone between aggressive trading and criminal conduct. That argument has been tested repeatedly as regulators, prosecutors and private investigators have become more comfortable treating some smart-contract exploits as fraud, particularly where there is evidence of concealment, laundering and personal enrichment.

Uranium Finance was a Binance Smart Chain-based automated market maker modelled on the broader wave of decentralised exchanges that promised fast, low-cost token swaps without central intermediaries. Its collapse became one of the more striking examples of how a seemingly minor coding error could wipe out a platform in hours. TRM Labs, which assisted law enforcement, said the episode underscored the fragility of protocols built and deployed at speed during the early DeFi expansion, when projects often raced to market ahead of more rigorous controls.

The broader lesson for the sector is awkward but familiar. DeFi has spent years presenting itself as an alternative to traditional finance, built on transparency and automatic execution. Yet many of its most damaging failures have come not from hidden balance-sheet risks but from exposed software weaknesses, patchy governance and overconfidence in unaudited or lightly tested code. The Uranium case does not stand alone; it fits a pattern in which attackers exploited small logic errors to trigger outsized losses, then relied on mixers, cross-chain swaps and dormant wallets to delay detection and recovery.

At the same time, the case offers a different message from the one that dominated crypto crime coverage a few years ago. Investigators are showing greater patience and sophistication in tracking stolen digital assets long after a protocol has collapsed and public attention has moved on. TRM said the Uranium seizure illustrated how forensic tracing across multiple chains can support recovery even when funds have been routed through obfuscation services and left untouched for extended periods.

For the industry, that creates a double-edged reality. Builders can point to improving law-enforcement capabilities as evidence that crypto is not beyond the reach of accountability. But the indictment also revives uncomfortable questions about whether the market absorbed the right lessons from the 2021 DeFi frenzy. Stronger audits, better controls and clearer lines between white-hat disclosure and criminal extraction have all become standard talking points. Cases such as Uranium suggest those safeguards were often written only after the money had gone.