Jonathan Spalletta: The Collectibles Collector Who Killed Uranium Finance

Stole $54M from Uranium Finance. Spent it on Magic cards, Roman coins, and Pokémon. Created a Telegram 'War Room' to pretend to investigate his own hack. Got caught anyway.

Jonathan Spalletta: stole $54M, bought Magic cards, then pretended to investigate his own hack

Jonathan Spalletta turned a single-character coding error into a $54 million payday. Then he bought Magic cards with it. Then he created a Telegram chat to pretend to investigate his own hack. Then he lived in Rockville, Maryland for five years while the FBI traced every transaction he ever made.

The 36-year-old, known online as "Cthulhon," "Jspalletta," "Jonny Boy," "Nass," and "SirJonathan," didn't just hack Uranium Finance twice in April 2021. He murdered it. The decentralized exchange shut down permanently after his second attack drained 90% of its assets across 26 liquidity pools.

Uranium Finance operated as an automated market maker on BNB Chain, similar to Uniswap. Users deposited cryptocurrency into liquidity pools and earned rewards for providing trading liquidity. Standard DeFi. Standard promises. Standard vulnerability.

On April 8, 2021, Spalletta spotted a flaw in Uranium's smart contract code involving the AmountWithBonus variable. By issuing zero-token withdrawal commands, he forced the exchange to pay him rewards he never earned. The exploit netted $1.4 million from a single liquidity pool.

Here is where it gets brazen. Spalletta negotiated a sham "bug bounty" deal with Uranium, keeping $386,000 of the stolen funds while returning the rest. The exchange thought they had dodged a bullet. They had not.

Three weeks later, on April 28, Spalletta struck again. He found a single-character error in Uranium's transaction verification logic - the code used 1,000 instead of 10,000 for balance validation checks. That one digit let him withdraw nearly everything while depositing nothing. Twenty-six liquidity pools. $53.3 million in BNB, BUSD, and other tokens. Gone in minutes. Uranium Finance collapsed instantly and never reopened.

Then came the performance. Spalletta and his co-conspirators created a public "War Room" on Telegram, posing as a team dedicated to investigating the hack and recovering stolen funds. The guy who stole everything was now pretending to help find the thief. The Uranium community had no idea they were getting advice from the person who had just destroyed their exchange.

"I did a crypto heist," Spalletta wrote to an associate, according to the indictment. "Crypto is all fake internet money anyway." He clearly did not believe that when it came to spending it.

The shopping spree was spectacular. A "Black Lotus" Magic: The Gathering card for $500,000. Eighteen sealed Alpha booster packs worth $1.5 million. First-edition Pokémon cards valued at over $1 million. Ancient Roman coins commemorating Julius Caesar's assassination for $601,000. A piece of fabric from the Wright brothers' airplane that had traveled to the moon. Spalletta converted imaginary internet money into the most tangible collectibles on Earth.

He laundered the stolen crypto through Tornado Cash and multiple decentralized exchanges, swapping tokens into ETH and routing them across blockchains. He was not subtle. He was just patient enough to think five years was long enough.

It was not. Blockchain forensics firm TRM Labs assisted federal investigators in tracing the funds across multiple chains and through laundering routes that Spalletta had spent years building. The digital breadcrumbs never disappeared. Every swap, every bridge, every mixer output was mapped. On February 24, 2025, law enforcement raided his residence and seized approximately $31 million in cryptocurrency linked to the Uranium hacks. They also recovered most of his collectibles collection. His home had become a museum of stolen digital wealth converted to physical objects - and every object was now evidence.

Spalletta was not a fugitive. He was not on the run. He was living in Rockville, Maryland the entire time, surrounded by half a million dollars in Magic cards and ancient coins, waiting for a knock on the door that took five years to come.

On March 30, 2026, the Southern District of New York unsealed the indictment. Spalletta surrendered to authorities and appeared before U.S. Magistrate Judge Ona T. Wang. He was released on bail. He is not in prison yet.

U.S. Attorney Jay Clayton did not hold back. "Stealing from a crypto exchange is stealing," he said. "The claim that 'crypto is different' does not change that. For the victims, there is nothing different about having your money taken."

The case is being prosecuted by the Complex Frauds and Cybercrime Unit and assigned to U.S. District Judge Jed S. Rakoff. Spalletta faces up to 10 years for computer fraud and 20 years for money laundering. The indictment notes he personally received at least $11 million of the stolen funds, suggesting co-conspirators took the rest.

As for the victims - the users who deposited funds into Uranium Finance's 26 liquidity pools - there is no restitution plan. Uranium is dead. The $31 million seized by the government sits in federal custody. Nobody has announced any intention to return it to the people who lost it. The man who called crypto "fake internet money" is out on bail. The people whose real money he stole have nothing.