CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Exploiter charged for $53.3M Uranium Finance smart contract heist via code flaws and mixer laundering

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

A 36-year-old Maryland man was charged for orchestrating two smart contract heists against the Uranium Finance decentralized exchange (DEX) in April 2021, stealing approximately $53.3 million in cryptocurrency. The suspect, Jonathan Spalletta (aka "Cthulhon"), exploited code flaws in Uranium's automated market maker (AMM) contracts, forcing the exchange into insolvency. Proceeds were laundered through Tornado Cash and partially spent on high-value collectibles. The first breach on April 8, 2021, involved manipulating the AmountWithBonus variable to issue unauthorized zero-token withdrawals, draining about $1.4 million, which he partially extorted back as a sham bug bounty. The second attack on April 28, 2021, exploited a single-character error in transaction-verification logic, allowing him to withdraw 90% of the DEX's assets across 26 liquidity pools while depositing negligible value.

Timeline

  1. 31.03.2026 12:15 1 articles · 2h ago

    Uranium Finance smart contract heists in April 2021 linked to $53.3M theft and subsequent laundering

    On April 8, 2021, a suspect exploited a flawed AmountWithBonus variable in Uranium Finance’s AMM smart contract to perform zero-token withdrawals, draining $1.4 million. Three weeks later, on April 28, 2021, he exploited a single-character error in transaction logic to withdraw 90% of assets across 26 liquidity pools, netting $53.3 million and forcing the exchange to cease operations. Proceeds were laundered via Tornado Cash and partially spent on luxury collectibles before law enforcement recovery efforts in 2025.

    Show sources
    Open in new tab

Information Snippets

  • Uranium Finance operated as a decentralized automated market maker (AMM) similar to Uniswap, enabling token swaps via smart contracts.

    First reported: 31.03.2026 12:15
    1 source, 1 article
    Show sources

  • On April 8, 2021, Spalletta exploited a flaw in Uranium's smart contract code involving the AmountWithBonus variable to perform zero-token withdrawals, draining approximately $1.4 million from the exchange's liquidity pool.

    First reported: 31.03.2026 12:15
    1 source, 1 article
    Show sources

  • Spalletta extorted Uranium Finance into assigning nearly $386,000 of stolen funds as a fraudulent "bug bounty" in exchange for returning the remaining portion of the $1.4 million.

    First reported: 31.03.2026 12:15
    1 source, 1 article
    Show sources

  • On April 28, 2021, Spalletta exploited a single-character coding error in transaction-verification logic, causing the system to use 1,000 instead of 10,000 in a divisor, enabling unauthorized mass withdrawals.

    First reported: 31.03.2026 12:15
    1 source, 1 article
    Show sources

  • The second attack allowed Spalletta to withdraw nearly 90% of the assets held across 26 liquidity pools while depositing effectively zero tokens, netting approximately $53.3 million and forcing Uranium Finance to shut down.

    First reported: 31.03.2026 12:15
    1 source, 1 article
    Show sources

  • Spalletta laundered the stolen cryptocurrency through Tornado Cash before spending it on collectibles including a "Black Lotus" Magic: The Gathering card for $500,000, sealed Alpha Booster packs for $1.5 million, a first-edition complete Pokémon Base Set for $750,000, and a Julius Caesar assassination coin for over $601,000.

    First reported: 31.03.2026 12:15
    1 source, 1 article
    Show sources

  • In February 2025, law enforcement executed a court-authorized search warrant at Spalletta’s residence, seizing the collectibles and recovering approximately $31 million in cryptocurrency linked to him.

    First reported: 31.03.2026 12:15
    1 source, 1 article
    Show sources

  • Spalletta faces up to 10 years in prison for computer fraud and up to 20 years for money laundering if convicted.

    First reported: 31.03.2026 12:15
    1 source, 1 article
    Show sources