A Maryland man has been indicted for one of DeFi's most damaging early exploits — the 2021 hack of Uranium Finance that drained more than $50 million and permanently shuttered the exchange.

Jonathan Spalletta, 36, of Rockville, Maryland, surrendered Monday in Manhattan and faces one count of computer fraud and one count of money laundering, according to an indictment unsealed by the Southern District of New York.

How the Hack Unfolded

Uranium Finance was a decentralized exchange built on BNB Chain. Prosecutors say Spalletta first exploited a flaw in the protocol's rewards mechanism on April 8, 2021, walking away with roughly $1.4 million. He then negotiated a sham "bug bounty" with the team to keep $386,000 of it. Days later, he returned and executed a far larger attack, draining over $50 million in BNB, BUSD, and other assets. The platform never recovered.

In a message to an associate, Spalletta allegedly wrote: "I did a crypto heist… Crypto is all fake internet money anyway."

Where the Money Went

Spalletta is accused of laundering proceeds through Tornado Cash before spending millions on rare collectibles:

  • A Black Lotus Magic: The Gathering card for ~$500,000
  • 18 sealed Alpha MTG booster packs for ~$1.5 million
  • First-edition Pokémon sets worth over $1 million
  • A Roman "Eid Mar" coin commemorating the assassination of Julius Caesar for ~$601,500

U.S. law enforcement seized approximately $31 million in crypto tied to the exploit in February 2025 — the first time a defendant was publicly linked to the case. Monday's indictment closes the loop five years after the original exploit.

The case is a reminder that DeFi crime from the 2021 boom era is still being unwound — and that physical collectibles are not a reliable exit from blockchain forensics.