Is exploiting a smart contract bug a federal crime?

It can be. Federal prosecutors charge smart-contract exploits under the Computer Fraud and Abuse Act and money laundering statutes when they can show unauthorized access and intent to defraud. The 'code is law' idea -- that anything a contract permits is allowed -- is a philosophy, not a recognized legal defense, and it has not protected defendants in federal court. Whether access was truly 'unauthorized' on permissionless code remains a genuinely contested legal question.

Does calling it a 'bug bounty' protect you from prosecution?

Not automatically. Legitimate bug bounties involve prior authorization, prompt disclosure, and returning funds. Draining a protocol first and labeling it a 'bounty' afterward does not shield you. Prosecutors focus on the sequence and documentation of your conduct -- what you did before anything went wrong matters most.

What should I do if federal agents contact me about a crypto case?

Do not answer questions. Politely state that you want to speak with an attorney, and say nothing else. The most consequential mistakes in crypto fraud and money laundering cases happen in the first conversation with investigators from HSI, the FBI, or IRS Criminal Investigation, often long before any charges are filed.

Is cryptocurrency anonymous enough to avoid being traced?

No. Blockchains are pseudonymous and permanent, not anonymous. Law enforcement uses chain analysis to trace funds across wallets and mixers and routinely seizes assets, including tens of millions of dollars in recent crypto cases. Transaction history is permanently recorded and increasingly easy for investigators to follow.

Crypto Is Just Fake Internet Money"? Why That Defense Won't Save You in Federal Court

Jun 17

Written By Carlo DAngelo

A $53 million smart-contract exploit, a Black Lotus card, and the legal line between "exploiting a bug" and "computer fraud"

When federal prosecutors in Manhattan unsealed an indictment on March 30, 2026, against a 36-year-old Maryland man accused of draining a cryptocurrency exchange of more than $50 million, the U.S. Attorney led with a line that should get the attention of anyone in the digital asset space:

"Stealing from a crypto exchange is stealing — the claim that 'crypto is different' does not change that."

That sentence is the whole ballgame. For years, parts of the crypto community have operated on an unwritten rule sometimes summed up as "code is law" — the idea that if a smart contract lets you do something, then doing it is fair game. The government's position in United States v. Spalletta is a blunt rejection of that idea. And for anyone who builds, trades, or experiments at the edges of decentralized finance, it's worth understanding exactly where that line now sits.

As a criminal defense attorney who has testified before the U.S. Treasury on cryptocurrency regulation and written on digital asset crime, I want to walk through what the government is alleging, what the real legal fight looks like, and what this case signals for anyone who could find themselves on the wrong end of a federal cyber-fraud investigation.

https://www.justice.gov/usao-sdny/pr/maryland-man-charged-defrauding-crypto-exchange-over-50-million-hacks

What the Government Alleges

According to the indictment — and it's important to stress these are allegations, not proven facts — the case centers on Uranium Finance, a decentralized exchange that let users swap cryptocurrencies through automated "liquidity pools" governed by smart contracts.

Prosecutors say the defendant exploited those contracts twice in April 2021:

The first incident (April 8, 2021): He allegedly ran a series of transactions that tricked Uranium's smart contract into paying out far more in "rewards" tokens than he was entitled to, repeating the process until the reward pool was nearly drained — roughly $1.4 million worth of crypto. Prosecutors quote him telling someone afterward that he had pulled off a "heist," that "there was a bug in a smart contract, and I exploited it," and that "crypto is all fake internet money anyway."
The second incident (April 28, 2021): He allegedly exploited a flaw in the contract that controlled withdrawal amounts, ran it across 26 separate liquidity pools, and walked away with approximately $53.3 million — enough, the government says, to force Uranium to shut down entirely.

The indictment then describes classic money-laundering conduct: routing the proceeds through the crypto mixer Tornado Cash to obscure their trail, then converting the funds into hard assets. Among the items prosecutors say were purchased and later seized: a "Black Lotus" Magic: The Gathering card worth roughly $500,000, sealed vintage Pokémon card sets, an antique Roman coin commemorating the assassination of Julius Caesar, and even a piece of the original Wright brothers' airplane that was flown to the moon on Apollo 11.

He's charged with one count of computer fraud (up to 10 years) and one count of money laundering (up to 20 years).

The Real Legal Question: When Does Exploiting a Bug Become a Crime?

Here's what makes this case more than a tabloid headline. There is a genuine, unsettled legal tension underneath it.

In ordinary life, if a bank's ATM malfunctions and spits out extra cash, taking that money can be a crime. But decentralized finance complicates the intuition. A smart contract is open-source, permissionless code. Anyone can interact with it. There's no teller, no login you weren't given, no door you had to pick. The "exploit" is often just a sequence of perfectly valid transactions that the contract was — through a coding error — willing to execute.

That's why the defense theory in cases like this usually sounds some version of: I didn't break into anything. I interacted with public code exactly as it was written. The code permitted what I did.

The government's answer, as Uranium's prosecutor framed it, is that intent and deception are what matter — not the medium. Federal computer-fraud charges under the Computer Fraud and Abuse Act generally turn on whether someone accessed a computer "without authorization" or "exceeded authorized access," and whether they did so with intent to defraud. Prosecutors will argue that crafting transactions specifically designed to trick a contract into doing something it was never meant to do is exactly that kind of unauthorized, deceptive access — and that the defendant's own alleged words ("a heist," "I exploited it") prove he knew it.

This is the battleground. The outcome of these cases increasingly hinges on:

Authorization. Was the access "unauthorized" when the code itself permitted the transactions? Courts have struggled with what "exceeds authorized access" means even outside crypto, and the Supreme Court narrowed that phrase in Van Buren v. United States (2021). How that narrowing applies to permissionless smart contracts is far from settled.
Intent and knowledge. Federal fraud is a specific-intent crime. Contemporaneous messages, chat logs, and the steps taken to conceal funds become central evidence of state of mind — which is exactly why prosecutors highlighted the alleged "heist" texts.
The conduct after the exploit. Note that one of the two charges here is money laundering, carrying double the maximum prison exposure of the fraud count. Even where the underlying-access question is genuinely debatable, the steps taken to hide and convert proceeds — using mixers, structuring purchases, moving assets across wallets — often become the government's strongest and most independent line of attack.

Why "Bug Bounty" Framing Doesn't Automatically Protect You

The indictment also alleges that after the first incident, the defendant negotiated to keep a portion of the funds as a "bug bounty." Legitimate bug bounties are a real and valuable part of security research — companies pay ethical hackers to find and responsibly disclose vulnerabilities.

But the label is not a magic shield. The difference between a security researcher and a defendant usually comes down to a handful of facts: Did you have authorization or an established bounty program before you acted? Did you disclose promptly and return the funds? Or did you drain the protocol first and characterize it as a "bounty" afterward to manufacture cover? Prosecutors here allege the latter. The lesson for anyone doing real security work is that the sequenceand documentation of your conduct matter enormously — and they matter most before anything goes wrong.

What This Case Signals Going Into 2026

The Department of Justice has, over the past year, signaled a move away from "regulation by prosecution" in crypto — stepping back from charging novel regulatory theories against developers who simply write neutral code. But this case shows the other half of that message clearly: the DOJ has not stepped back from prosecuting fraud, theft, hacking, and money laundering, even when the conduct lives entirely on a blockchain. If anything, the message is sharpening: write code, you're a builder; use deception to take other people's assets, you're a defendant.

For traders, developers, founders, and anyone active in DeFi, a few practical takeaways:

The blockchain is not anonymous. It is pseudonymous and permanent. The government traced these funds across mixers and wallets and seized roughly $31 million. Chain analysis has become extraordinarily good.
Your words are evidence. Texts, Discord messages, and chats describing what you did and why are often the most damaging exhibits in the case.
"Code is law" is a philosophy, not a legal defense. It may inform a sophisticated argument about authorization, but standing alone it has not protected defendants in federal court.
This post discusses pending allegations in an unsealed federal indictment. The charges described are accusations only, and the defendant is presumed innocent unless and until proven guilty in a court of law.
This article is provided for general informational purposes only and does not constitute legal advice, nor does it create an attorney-client relationship. Every case is unique and depends on its own facts and circumstances. If you are facing a criminal investigation or charges, consult a licensed attorney about your specific situation.
Attorney Advertising. Carlo D'Angelo, PC — Criminal Defense, Tyler, Texas, and federal courts nationwide.

CryptocurrencyDigital AssetCryptoCrypto Crime

Carlo DAngelo

Crypto Is Just Fake Internet Money"? Why That Defense Won't Save You in Federal Court

What the Government Alleges

The Real Legal Question: When Does Exploiting a Bug Become a Crime?

Why "Bug Bounty" Framing Doesn't Automatically Protect You

What This Case Signals Going Into 2026

Carlo D'Angelo, PC

Aggressive Defense. Real Results.

Location

Serving East Texas, DFW & Federal Courts Nationwide

Contact

Crypto Is Just Fake Internet Money"? Why That Defense Won't Save You in Federal Court

What the Government Alleges

The Real Legal Question: When Does Exploiting a Bug Become a Crime?

Why "Bug Bounty" Framing Doesn't Automatically Protect You

What This Case Signals Going Into 2026

The Future of Crime Is AI: If AI is the weapon, then crypto is the getaway car.

Carlo D'Angelo, PC

Aggressive Defense. Real Results.

Location

Serving East Texas, DFW & Federal Courts Nationwide

Contact