Jaredfromsubway.eth, one of Ethereum's most notorious maximal extractable value (MEV) bots, has lost more than $7.5 million after an attacker exploited its own sandwich trading logic, according to security firm Blockaid. The bot, which specializes in sandwich attacks, was tricked into approving token spending to attacker-controlled contracts, which then drained its funds.
How the Attack Worked
Blockaid explained that this was not a typical phishing attack or a flaw in the bot's contract. Over several weeks, the attacker created fake token contracts and bogus liquidity pools, including counterfeit fWETH, fUSDC, and fUSDT paired with fake fCAP tokens. These pools appeared as profitable MEV opportunities to the bot.
The bot read them as arbitrage trades and granted spending approvals to helper contracts controlled by the attacker. Early test routes consumed the approvals immediately, but later ones left them open, allowing the attacker to later move funds. According to Blockaid, the bot approved about 92.16 WETH to one helper contract, and a final sweep used the open allowances to pull WETH, USDC, and USDT via transferFrom. Part of the proceeds was later routed through Tornado Cash.
Impact and History
Sandwich attacks cost Ethereum traders roughly $60 million annually, and about 70% of them trace back to jaredfromsubway.eth, which has been active since early 2023. The bot once spent $1.14 million frontrunning a trivial Vitalik Buterin swap for only a few dollars in profit. The drain echoes a 2023 attack where a rogue validator pulled $25 million from sandwich bots.
In a June 22 onchain message, the Jared wallet offered the attacker a 50% white-hat bounty to return 2,150 ETH within 48 hours, threatening legal and law-enforcement action otherwise.