Jonathan Spalletta, also known online as “Cthulhon” and “Jspalletta,” has surrendered to U.S. authorities after a federal indictment was unsealed charging him with computer fraud and money laundering. The charges stem from two separate attacks in 2021 on Uranium Finance, a decentralized exchange. Spalletta faces a maximum of 10 years on the computer fraud count and 20 years on the money laundering charge. The case has drawn attention from legal and blockchain security experts who say it signals a tougher judicial stance on decentralized finance exploits.
According to the indictment, Spalletta carried out his first attack on April 8, 2021, exploiting a bug in Uranium Finance’s rewards-tracking system to repeatedly drain a liquidity pool of roughly $1.4 million. Weeks after the incident, he allegedly wrote to another individual describing what he had done: “I did a crypto heist of $1.5MM… There was a bug in a smart contract, and I exploited it… Crypto is all fake internet money anyway.” Authorities say he subsequently returned most of those funds after negotiating with the platform, but retained approximately $386,000 under what prosecutors characterize as a fraudulent “bug bounty” arrangement.
On April 28, 2021, Spalletta allegedly carried out a far larger attack, exploiting a separate vulnerability across 26 liquidity pools and obtaining around $53.3 million in cryptocurrency. The exploit left Uranium Finance unable to continue operating. Between April 2021 and November 2023, he allegedly moved approximately $26 million through Tornado Cash, routing funds across multiple blockchains and wallets to conceal their origin.
Blockchain investigator ZachXBT had previously documented the laundering trail in a December 2023 report, identifying how stolen ETH was withdrawn from the mixing service and routed through brokers. The indictment states that proceeds were used to purchase high-value collectibles, including rare Magic and Pokémon cards, a coin dating to the era of Julius Caesar, and an artifact connected to the Wright brothers that was later carried to the moon by Neil Armstrong. Law enforcement also seized cryptocurrency valued at approximately $31 million last February in connection with the alleged scheme.
U.S. Attorney Jay Clayton addressed the broader implications of the case in a statement, saying: “Stealing from a crypto exchange is stealing—the claim that ‘crypto is different’ does not change that.” The prosecution reflects a growing effort by federal authorities to pursue decentralized finance exploits that combine technical manipulation with subsequent concealment of funds. Legal observers say the case challenges the notion that exploiting code-based vulnerabilities is inherently lawful.
Angela Ang, head of policy and strategic partnerships for Asia Pacific at TRM Labs, told Decrypt that the “code is law” argument is facing increasing scrutiny in courtrooms. She noted that while exploiting smart contract vulnerabilities may be technically feasible, courts are unlikely to view such actions as legally permissible, particularly when combined with laundering and concealment. Ang added that stronger auditing and insurance mechanisms can reduce the risk of such exploits but are not sufficient on their own.
Ang emphasized that platforms require a layered approach to security, encompassing regular audits, secure coding practices, multi-signature controls, and an organizational culture that prioritizes security rather than depending on any single protective measure. The Uranium Finance case is expected to serve as a reference point as regulators and courts continue to define the legal boundaries of activity within decentralized finance ecosystems.
Originally reported by Decrypt.
