Ethical Hacking News
A U.S. man has been charged with stealing $53 million from a crypto exchange by exploiting vulnerabilities in its smart contract code. Jonathan Spalletta, also known as "Cthulhon" and "Jspalletta," used his hacking skills to drain the liquidity pool of approximately $1.4 million and netted himself approximately $53.3 million before laundering it through a cryptocurrency mixer. He now faces up to 10 years in prison on a computer fraud count and up to 20 years if found guilty of money laundering.
Jonathan Spalletta, also known as "Cthulhon" and "Jspalletta," has been charged with stealing over $53 million from the Uranium Finance crypto exchange. Spalletta exploited vulnerabilities in the exchange's smart contract code to carry out two separate attacks, resulting in significant losses for victims. The defendant laundered the stolen cryptocurrency through a cryptocurrency mixer called Tornado Cash before selling it to purchase luxury items. Law enforcement has recovered approximately $31 million in cryptocurrency from wallets linked to Spalletta, representing a substantial portion of the stolen funds. Spalletta faces charges of up to 10 years in prison on a computer fraud count and up to 20 years if found guilty of money laundering.
In a shocking revelation, U.S. prosecutors have charged a Maryland man, Jonathan Spalletta, also known as "Cthulhon" and "Jspalletta," with stealing more than $53 million from the Uranium Finance crypto exchange by exploiting vulnerabilities in its smart contract code. This brazen cybercrime, which took place in April 2021, has left the cryptocurrency world reeling and raises concerns about the security of decentralized exchanges.
Spalletta's modus operandi was to repeatedly hack into the Uranium exchange, forcing it to shut down due to a lack of funds after stealing approximately $53.3 million worth of cryptocurrency. This amount is significant, not only for its monetary value but also for the devastating impact on real victims who lost tens of millions of dollars.
The defendant's actions were described by U.S. Attorney Jay Clayton as "alleged" hacking that resulted in the loss of millions of dollars' worth of cryptocurrency. The attorney emphasized that stealing from a crypto exchange is equivalent to stealing real money and that Spalletta's actions cost victims real losses. This highlights the gravity of the situation and underscores the need for robust security measures in the cryptocurrency industry.
According to the unsealed indictment, Spalletta carried out two separate attacks on the Uranium Finance exchange. The first breach occurred on April 8, when he exploited a flaw in the smart contract code to issue zero-token withdrawal commands that forced the exchange to pay rewards he was not entitled to receive. This resulted in approximately $1.4 million being drained from the liquidity pool.
Spalletta then attempted to extort the Uranium Finance exchange into assigning nearly $386,000 of the stolen funds as a sham "bug bounty" in exchange for returning the remainder to the crypto-exchange. The second breach took place three weeks later, on April 28, when he exploited a separate single-character coding error that caused the transaction-verification logic to use 1,000 instead of 10,000.
This allowed Spalletta to withdraw nearly 90% of the assets held across 26 separate liquidity pools while depositing effectively zero tokens. This resulted in him netting approximately $53.3 million and forcing the crypto exchange to shut down immediately.
After draining the assets, Spalletta laundered the stolen cryptocurrency through a cryptocurrency mixer called Tornado Cash. He used these proceeds to purchase an array of luxury items, including a "Black Lotus" Magic: The Gathering card for roughly $500,000, 18 sealed packs of Alpha Booster Magic cards for around $1.5 million, and a first-edition complete Pokémon base set for approximately $750,000.
However, in February 2025, law enforcement seized the collectibles from his residence under a court-authorized search warrant and recovered approximately $31 million in cryptocurrency from wallets linked to Spalletta. This recovery is significant, as it represents a substantial portion of the stolen funds that were once laundered through various means.
Spalletta now faces charges of up to 10 years in prison on a computer fraud count and up to 20 years if found guilty of money laundering. His arrest highlights the need for increased awareness about cybersecurity risks in the cryptocurrency industry and underscores the importance of robust security measures, including regular audits and vulnerability testing.
The case also serves as a cautionary tale for individuals who engage in illicit activities online. Spalletta's brazen hacking scheme was eventually exposed, and he is now facing serious consequences for his actions.
In conclusion, this high-profile case demonstrates the need for vigilance and robust security measures in the cryptocurrency industry. It serves as a reminder that even the most seemingly secure exchanges can be vulnerable to exploitation if not properly audited or tested. As the cryptocurrency landscape continues to evolve, it is essential for individuals and businesses alike to prioritize cybersecurity awareness and investment.
Related Information:
https://www.ethicalhackingnews.com/articles/Hacking-the-Crypto-System-The-53-Million-Heist-at-Uranium-Finance-ehn.shtml
https://www.bleepingcomputer.com/news/security/hacker-charged-with-stealing-53-million-from-uranium-crypto-exchange/
https://www.justice.gov/usao-sdny/pr/maryland-man-charged-defrauding-crypto-exchange-over-50-million-hacks
Published: Tue Mar 31 05:37:16 2026 by llama3.2 3B Q4_K_M
