Why Uranium Finance collapsed and where the $54 million went

In April 2021, Uranium Finance suffered two major hacks. Investigators later identified a single perpetrator — US citizen Jonathan Spalletta, also known as “Cthulhon.” By exploiting vulnerabilities in the platform’s code, he stole approximately $54 million in crypto assets. A report by GetBlock AML Research details how the scheme worked and how the funds were ultimately spent.

What Was Uranium Finance?

Uranium Finance was a decentralized exchange (DEX) that allowed users to trade crypto without intermediaries. Users deposited assets into liquidity pools, and smart contracts handled swaps automatically. In return, participants earned rewards in the form of additional tokens for providing liquidity.

The platform’s weakness lay in its smart contracts. Spalletta deliberately identified and exploited flaws in the code to extract far more rewards than he was entitled to.

The First Hack (April 8, 2021)

In early April, Spalletta launched an attack on one of the liquidity pools. He repeatedly submitted transactions that appeared to be normal withdrawals but actually manipulated the system.

Technically, the exploit worked as follows: he withdrew his funds using the “EmergencyWithdraw” function while still being recorded as a liquidity provider. He then triggered a “zero-value” transaction — requesting to withdraw 0 tokens — which caused the smart contract to miscalculate rewards. As a result, the system continued issuing him reward tokens as if his funds were still locked.

By repeating this process, Spalletta was able to drain nearly all available rewards from the pool. In total, he stole about $1.4 million in the first attack.

Two weeks later, he posted in a chat claiming responsibility for a “$1.5 million crypto heist,” adding that “crypto is all fake internet money.” He then negotiated with the project team, demanding that roughly $386,000 be classified as a bug bounty. The team ultimately agreed, and Spalletta returned part of the funds while keeping the agreed amount.

The Second Hack (April 28, 2021)

Three weeks later, a much larger exploit followed. This time, Spalletta discovered a different vulnerability related to withdrawal limits. Due to a coding error, the system used 1,000 instead of 10,000 when validating withdrawal requests.

He exploited this flaw by requesting nearly the entire balance of liquidity pools in a single transaction. For example, he could deposit an almost negligible amount — as little as 0.000…0001 tokens — and then withdraw over 90% of the pool’s funds.

He repeated this across 26 different pools, ultimately draining more than $53 million — the majority of the platform’s total assets.

Following the attack, Uranium Finance effectively ceased operations, as it no longer had sufficient liquidity. The exploit caused significant losses for investors and led to the project’s collapse.

How the Funds Were Laundered and Spent

After the attacks, Spalletta moved quickly to obscure the origin of the stolen funds. He transferred assets across multiple blockchains and used Tornado Cash, a crypto mixer designed to obscure transaction trails.

Investigators estimate that he funneled hundreds of millions through the mixer, including around $386,000 from the first hack and approximately $26 million from the second.

He later spent the funds on high-value collectibles. According to investigators, these included rare Magic: The Gathering and Pokémon cards, ancient Roman coins, and even a piece of fabric from the Wright brothers’ airplane — a fragment that had reportedly traveled to the Moon.

Seized fragment of Wright brothers’ aircraft fabric valued at $137,000

Seized Pokémon collectible cards

In February 2025, law enforcement arrested Spalletta. Authorities seized approximately $31 million in cryptocurrency, along with valuable collectibles, including cards, coins, and the aircraft fragment.

He has been charged with computer fraud and money laundering and faces up to 30 years in prison.