Uranium Finance Indictment: Why Old DeFi Hacks Are Now Cases

Uranium Finance indictment is the rare DeFi exploit story that has crossed from on-chain forensics into a named U.S. criminal case. SDNY unsealed charges against Jonathan Spalletta on March 30, 2026, turning a 2021 BNB Chain collapse into a test of whether old smart-contract exploits can still end in arrest once investigators can trace, seize, and attribute the money.

Uranium Finance indictment turns an old exploit into a live fraud case

The Southern District of New York says Jonathan Spalletta, also known as “Cthulhon” and “Jspalletta,” has been charged with one count of computer fraud and one count of money laundering. The DOJ press release says he surrendered on March 30, 2026, appeared before Magistrate Judge Ona T. Wang, and now faces a maximum of 10 years on the computer-fraud count and 20 years on the money-laundering count if convicted. The case is assigned to Judge Jed S. Rakoff, and the government is explicit that the indictment contains allegations, not findings.

That alone makes the case notable, but the more important detail is what prosecutors chose to emphasize. DOJ did not describe the matter as a gray-area “code is law” dispute. It described it as repeated hacking of smart contracts to steal other people’s money, followed by laundering and personal spending. That framing matters because it shows where prosecutors think the strongest criminal hook sits: not in proving that every exploit is theft by definition, but in showing deception, repeated extraction, concealment, and downstream use of proceeds.

The alleged scheme had two hacks, not one

According to the indictment summary, the first attack happened on April 8, 2021 and targeted Uranium’s reward-distribution logic. Prosecutors say Spalletta used a deceptive sequence of transactions to withdraw far more rewards than he was entitled to receive, draining nearly the entire rewards pool and extracting about $1.4 million. DOJ also says that after the first exploit he later pressured Uranium into letting him keep roughly $386,000 as a sham “bug bounty” in exchange for returning the remainder.

The second alleged exploit, on April 28, 2021, is the one that destroyed Uranium. DOJ says Spalletta exploited an error in the smart contract governing withdrawals across 26 liquidity pools and stole about $53.3 million in cryptocurrency, forcing the exchange to shut down. Older technical analyses from Halborn and Immunefi describe the underlying bug as a constant-product accounting mistake in Uranium’s Uniswap-style trading logic: the modified fee scaling used 10,000 in one part of the math but left the invariant check at 1,000, creating a 100x mismatch that let an attacker drain reserves with minimal input.

Anchor: "DOJ press release on the Uranium Finance charges"

The long gap between exploit and arrest is the real signal

The deeper story in this indictment is timing. The Uranium exploits happened in April 2021. The charges were not unsealed until March 2026. What changed was not just prosecutorial interest. The tracing got better. TRM Labs said U.S. authorities and HSI San Diego seized approximately $31 million in February 2025, nearly four years after the original exploit, after investigators mapped laundering patterns across Tornado Cash, decentralized exchanges, bridges, and dormant wallets. DOJ’s March 30 press release separately says law enforcement seized cryptocurrency worth about $31 million on February 24, 2025 pursuant to a seizure warrant.

That sequence is what makes the case more than a delayed arrest note. DeFi exploits used to look practically unprosecutable once funds crossed mixers, wrapped assets, and chain boundaries. Uranium now shows a different pattern: an exploit happens, funds move through enough transparent infrastructure that investigators can revisit them years later, seize a meaningful chunk, and use the financial trail to support a named indictment. The lag is long, but the lag is shrinking into something operationally relevant for attackers.

This is also why the case matters beyond Uranium itself. The exploit did not become more illegal in 2026 than it was in 2021. What changed is that blockchain-forensics tooling, exchange-cooperation pathways, and seizure practice have improved enough to turn old traces into courtroom evidence.

Anchor: "Halborn’s 2021 Uranium Finance exploit analysis"

The “code is law” defense gets weaker when the money trail looks human

Decrypt’s March 31 coverage quoted TRM Labs’ Angela Ang saying courts are increasingly testing whether exploiting a smart contract bug can really be treated as legally permissible when it is paired with laundering and concealment. That is the right frame. Uranium was never the strongest candidate for a benign-arbitrage defense, and the indictment makes that weaker still.

DOJ says Spalletta described the first theft in writing as a “crypto heist” and said “crypto is all fake internet money anyway.” Prosecutors also say he laundered funds through Tornado Cash and then spent the proceeds on high-value collectibles, including a Black Lotus card, sealed Alpha Booster packs, a first-edition Pokémon set, antique Roman coins, and even a piece of Wright brothers airplane fabric later carried to the moon by Neil Armstrong. BleepingComputer’s summary, citing the indictment, says the second exploit relied on a single-character coding error and that the defendant moved funds through decentralized exchanges, mixers, and cross-chain routes before spending the proceeds.

Courts do not need to resolve every philosophical fight about smart-contract autonomy to find criminal intent in that pattern. A defendant who quietly exploits a bug and leaves the money untouched might still try to force a harder legal debate. A defendant who repeats the exploit, negotiates a sham bounty, launders the proceeds, and buys collectibles looks much closer to ordinary fraud with blockchain-specific plumbing.

Anchor: "TRM Labs on the 2025 Uranium Finance seizure"

What DeFi builders and investigators should take from the case

For builders, Uranium is still a contract-security story first. Halborn’s 2021 write-up said Uranium’s team had already detected the vulnerability during audit work and fixed it in an updated version, but the live v2 code remained exploitable and was hit before the transition completed. That is an ugly but familiar DeFi pattern: an audit finding exists, remediation is partial or poorly timed, and production code remains open long enough for someone else to use the flaw first.

For investigators, the newer lesson is that exploit cases can age into stronger prosecutions rather than weaker ones. TRM’s 2025 write-up shows why: some stolen funds sat dormant for years before moving again, which created fresh investigative opportunities. The implication for future attackers is simple. Time does not necessarily erase a DeFi theft. It may only give investigators more data, more counterparties, and more chances to connect wallets to people.

For readers of the Uranium Finance indictment, the final takeaway is not that every smart-contract exploit will now end in prison. It is narrower and more important. Once the government can combine exploit mechanics, message evidence, laundering patterns, asset seizures, and personal spending, old DeFi hacks stop looking like unsolved internet folklore and start looking like conventional financial-crime cases with better logs.

[INTERNAL LINK: "Web3 Fraud Files" → /categories/web3-fraud-files]

The next thing to watch is not the headline alone. It is the court process: whether prosecutors can tie the exploit flows, the 2025 seizure, and the personal-spending trail into a coherent criminal narrative that survives defense arguments about software autonomy and open code. If they can, Uranium Finance will be remembered not only as a devastating 2021 DeFi failure, but as one of the clearer examples that exploit attribution can catch up with old on-chain crime.

Anchor: "Decrypt on why the Uranium case matters legally"