U.S. prosecutors charged a Maryland man with stealing more than $53 million after he hacked the Uranium Finance crypto exchange twice and laundered the proceeds through a cryptocurrency mixer.
Next, 36-year-old Jonathan Spalletta (known online as “Cthulhon” and “Jspalletta”) appeared in court before U.S. Magistrate Judge Ona T. Wang after he surrendered to law enforcement on Monday.
How the Uranium Finance Hack Unfolded
Then, Spalletta hacked the decentralized cryptocurrency exchange Uranium, which operated as an automated market maker similar to Uniswap, in April 2021. As a result, he forced the company to shut down due to a lack of funds after he stole approximately $53.3 million worth of cryptocurrency.
“As alleged, Jonathan Spalletta repeatedly hacked smart contracts to steal millions of dollars’ worth of other people’s money for himself, and destroyed a cryptocurrency exchange in the process,” said U.S. Attorney Jay Clayton.
“In describing his alleged ‘heist,’ Spalletta told another individual’ Crypto is just fake internet money anyway.’ Stealing from a crypto exchange is stealing—the claim that ‘crypto is different’ does not change that. For the victims, there is nothing different about having your money taken. Spalletta cost real victims real losses of tens of millions of dollars, and now he’s under real arrest.”
According to the unsealed indictment, the defendant carried out two separate attacks. During the first breach, on April 8, Spalletta exploited a flaw in Uranium’s smart contract code. Specifically, he abused the AmountWithBonus variable to issue zero-token withdrawal commands. Consequently, he forced the exchange to pay rewards he did not earn, draining the liquidity pool of approximately $1.4 million.
Tracing stolen Uranium Finance funds (TRM Labs)
Afterward, Spalletta extorted Uranium into assigning nearly $386,000 of the stolen funds as a sham “bug bounty” in exchange for returning the remainder to the crypto exchange.
Three weeks later, on April 28, he struck again. This time, he exploited a separate single-character coding error that caused Uranium’s transaction-verification logic to use 1,000 instead of 10,000.
As a result, Spalletta withdrew nearly 90% of the assets held across 26 separate liquidity pools while depositing effectively zero tokens. Ultimately, he netted approximately $53.3 million, representing the overwhelming majority of Uranium’s holdings, and forced the crypto exchange to shut down immediately.
Laundering and Lavish Spending
Finally, Spalletta laundered the stolen crypto assets across multiple Decentralized exchanges through the Tornado Cash Cryptocurrency mixer.
Then, he spent the proceeds on a wide range of High-value items, including a “Black Lotus” Magic: The Gathering card for approximately $500,000, 18 sealed packs of Alpha Booster Magic cards for around $1.5 million, a First-edition complete Pokémon base set for roughly $750,000, and an ancient Roman coin Commemorating Julius Caesar’s Assassination for over $601,000.
Source: BleepingComputer, Sergiu Gatlan
Read more at Impreza News
