He Stole $50M in Crypto. He Spent It on Pokémon Cards.

"Crypto is all fake internet money anyway." That's what Jonathan Spalletta allegedly wrote to an associate after draining $50 million from a DeFi exchange. Then he went shopping.

What Actually Happened

On March 31, 2026, the U.S. Department of Justice unsealed an indictment charging Jonathan Spalletta, 36, of Rockville, Maryland, with computer fraud and money laundering. The charges stem from a pair of attacks on Uranium Finance, a decentralized exchange built on Binance Smart Chain, back in April 2021.

Prosecutors allege Spalletta struck twice. On April 8, 2021, he exploited a vulnerability in Uranium's rewards mechanism smart contract, pulling out roughly $1.4 million. He then negotiated what authorities describe as a sham "bug bounty" arrangement — essentially convincing the platform to let him keep about $386,000 of the stolen funds as a legitimate reward for disclosing the bug. Prosecutors say the whole negotiation was fraudulent from the start.

The second attack was far more devastating. Spalletta allegedly returned and drained the platform's core liquidity pools — tied to BNB, BUSD, and other assets — emptying them entirely. Uranium Finance never recovered. It shut down permanently, leaving liquidity providers with nothing.

From Blockchain to Booster Packs

Here's where the case gets unusual. Spalletta didn't just hold the stolen crypto or cash it out through exchanges. According to the indictment, he routed funds through Tornado Cash — the crypto mixer sanctioned by the U.S. Treasury in 2022 — and then converted the proceeds into high-value physical collectibles.

The alleged shopping list is detailed in the indictment:

• A Black Lotus Magic: The Gathering card for approximately $500,000
• 18 sealed Alpha booster packs for roughly $1.5 million
• First-edition Pokémon sets worth over $1 million
• A Roman Eid Mar coin — commemorating the assassination of Julius Caesar — for about $601,500

Sponsored

Advertise with Us

[email protected]

Sponsored

The logic isn't hard to follow. Physical collectibles are harder to trace than blockchain transactions. They hold value. And in a market where a single card can fetch six figures, they're liquid enough to convert back to cash when needed. It's an old money-laundering playbook applied to a new asset class.

U.S. authorities had already seized approximately $31 million in crypto connected to the hack in February 2025. Spalletta surrendered in Manhattan and is expected to appear before a federal magistrate judge.

Why This Case Matters Now — Five Years Later

The hack happened in 2021. The indictment came in 2026. That five-year gap is itself a story.

On one hand, it demonstrates the reach of blockchain forensics. On-chain transaction data doesn't disappear. Investigators can — and increasingly do — trace fund flows across years, mixers, and multiple wallet hops. Firms specializing in crypto forensics have made this a growth industry, and cases like this are their proof of concept.

On the other hand, five years is a long time. Spalletta allegedly had ample opportunity to spend, convert, and obscure his proceeds. The $31 million seized represents roughly 62% of the total stolen. The remaining ~$19 million is unaccounted for in public filings — whether tied up in collectibles, further laundering, or simply gone remains unclear.

The Tornado Cash angle also resurfaces a live legal debate. The mixer's founders were prosecuted, with one receiving a 5-year sentence in 2024. This case adds another data point to the DOJ's argument that Tornado Cash was not a neutral privacy tool but a money laundering service with real criminal use.

Who Wins, Who Loses

The clearest losers are Uranium Finance's liquidity providers — ordinary DeFi participants who deposited assets into the protocol and lost everything when the pools were drained. Whether any of the $31 million in seized assets will be returned to victims has not been publicly determined.

For blockchain analytics firms and federal investigators, this is a validation. A cold case from the early DeFi era ends in a named defendant and a federal indictment. That's a signal to the broader market: DeFi anonymity has limits.

For the collectibles market, the case raises quieter questions. The dealers and auction houses that sold a $500,000 Magic card and a $600,000 Roman coin — did they conduct adequate due diligence on the source of funds? Anti-money laundering obligations for high-value goods dealers have been tightening in the U.S., but enforcement remains inconsistent.