Federal prosecutors in New York have charged a Maryland man in connection with the 2021 Uranium Finance hacks, a DeFi case that had gone quiet for years before investigators recovered part of the stolen crypto. The Southern District of New York said Jonathan Spalletta, 36, of Rockville, Maryland, surrendered on March 30, 2026 after an indictment was unsealed. He faces one count of computer fraud and one count of money laundering.
Prosecutors said the case centers on two April 2021 attacks against Uranium Finance, a decentralized exchange that operated on BNB Chain. According to the indictment summary, the first exploit took place between April 6 and April 8, 2021 and drained about $1.4 million by abusing the protocol’s reward system. The DOJ said the larger second attack came on April 28, 2021, when a coding error let the attacker siphon about $53.3 million from 26 liquidity pools.
The DOJ said the second exploit effectively destroyed the platform. Investigators allege Spalletta then moved and concealed the proceeds through swaps and mixing services, including Tornado Cash. The government also said he later spent part of the money on rare collectibles, including high value trading cards, coins, and other historical items. Those claims remain allegations unless proven in court.
Seizure Brought Old DeFi Theft Back to Life
The case appears to have regained momentum after a major seizure last year. In February 2025, U.S. authorities seized about $31 million tied to the Uranium Finance exploits. TRM Labs, which assisted the investigation, said law enforcement traced funds that had moved across multiple blockchains and through laundering routes over several years before the seizure took place.
That recovery gave the Uranium Finance case new life and showed how old DeFi thefts can still lead to criminal charges. TRM said some of the stolen assets had remained dormant for years before moving again, which helped investigators map the laundering trail. The seizure did not cover the full amount taken, but it marked one of the more notable recoveries tied to an older DeFi exploit.
The DOJ has also asked possible victims to contact investigators by email. If convicted, Spalletta faces a maximum sentence of 10 years on the computer fraud charge and 20 years on the money laundering charge, though any sentence would be decided by the court. For now, the case stands as one of the clearest signs that U.S. authorities are still pursuing large crypto thefts long after the original attack.
