U.S. prosecutors have charged a Maryland man with stealing more than $53 million after hacking the Uranium Finance crypto exchange twice and laundering the proceeds through a cryptocurrency mixer.

36-year-old Jonathan Spalletta (known online as "Cthulhon" and "Jspalletta") appeared in court before U.S. Magistrate Judge Ona T. Wang after surrendering to law enforcement on Monday.

Spalletta hacked the decentralized cryptocurrency exchange Uranium (which operated as an automated market maker similar to Uniswap) in April 2021, forcing the company to shut down due to a lack of funds after stealing approximately $53.3 million worth of cryptocurrency.

"As alleged, Jonathan Spalletta repeatedly hacked smart contracts to steal millions of dollars' worth of other people's money for himself, and destroyed a cryptocurrency exchange in the process," said U.S. Attorney Jay Clayton.

"In describing his alleged 'heist,' Spalletta told another individual' Crypto is just fake internet money anyway.' Stealing from a crypto exchange is stealing—the claim that 'crypto is different' does not change that. For the victims, there is nothing different about having your money taken. Spalletta cost real victims real losses of tens of millions of dollars, and now he's under real arrest."

According to the unsealed indictment, the defendant carried out two separate attacks. During the first breach, on April 8, Spalletta exploited a flaw in Uranium's smart contract code, abusing the AmountWithBonus variable to issue zero-token withdrawal commands that forced the exchange to pay rewards he was not entitled to receive, draining the liquidity pool of approximately $1.4 million.

Spalletta then extorted Uranium into assigning nearly $386,000 of the stolen funds as a sham "bug bounty" in exchange for returning the remainder to the crypto-exchange.

Three weeks later, on April 28, he struck again, exploiting a separate single-character coding error that caused Uranium's transaction-verification logic to use 1,000 instead of 10,000.

This allowed Spalletta to withdraw nearly 90% of the assets held across 26 separate liquidity pools while depositing effectively zero tokens, netting him approximately $53.3 million (the overwhelming majority of Uranium's holdings) and forcing the crypto exchange to shut down immediately.

Spalletta laundered the stolen crypto assets across multiple decentralized exchanges through the Tornado Cash cryptocurrency mixer and spent the proceeds on a wide range of items, including a "Black Lotus" Magic: The Gathering card for approximately $500,000, 18 sealed packs of Alpha Booster Magic cards for around $1.5 million, a first-edition complete Pokémon base set for roughly $750,000, and an ancient Roman coin commemorating Julius Caesar's assassination for over $601,000.

In February 2025, law enforcement seized the collectibles from his residence under a court-authorized search warrant and recovered approximately $31 million in cryptocurrency from wallets linked to Spalletta.

Spalletta now faces up to 10 years in prison on a computer fraud count and up to 20 years if found guilty of money laundering.