An attacker has successfully drained millions of dollars from the wallet of JaredFromSubway, Ethereum’s most visible and notorious Maximal Extractable Value (MEV) bot operator. Blockchain security researchers confirm the attack weaponized the bot’s own automated trading logic against it, using a specialized token approval trap.
Blockchain security firm PeckShield reported that attackers stole about $7.5 million in crypto assets before converting the funds into Ether. According to the firm, roughly 1,000 ETH was later transferred through the privacy protocol Tornado Cash. JaredFromSubway subsequently claimed the total losses were closer to $15 million.
The incident, first flagged by security researcher Specter, highlights the risks associated with automated trading operations on Ethereum, where extensive token permissions can create vulnerabilities even when underlying smart contracts remain secure.
Fake tokens turned the hunter into the target
The attack did not involve a flaw in JaredFromSubway’s trading software, according to analyst RaFi. Instead, the hackers allegedly created fake wrapper tokens and liquidity pools that appeared to offer profitable arbitrage opportunities. When the bot interacted with the fraudulent contracts, it unknowingly granted permissions that later allowed the attackers to access its funds.
“The bot essentially approved its own robbery,” RaFi said, noting that the initial transactions appeared legitimate. Over time, however, broader token approvals remained in place, giving the attackers unrestricted access through a network of helper contracts.
Blockchain data shows the exploit drained more than 4,400 wrapped Ether (WETH) from the bot’s wallets. The stolen funds were subsequently distributed across multiple addresses, making them more difficult to trace. Etherscan has identified one of the primary wallets involved in the operation as “JaredFromSubway Exploiter 1.”
Operator offers bounty after attack
JaredFromSubway confirmed the exploit in a series of posts on X, claiming the losses were significantly higher than early estimates from blockchain security firms. “I just woke up to a call from my friend. Yeah, I got fucking drained for $15M.”
The operator later appeared to open negotiations with the attacker, offering a reward in exchange for the return of stolen funds. “Well played. We are willing to offer a 50% white hat bounty.” He also warned that legal action could follow if the attacker failed to cooperate.
The exploit has triggered widespread discussion across the decentralized finance (DeFi) ecosystem. While some security analysts view the incident as an important case study on the hidden risks of machine-speed token approvals, many everyday traders greeted the news with a sense of irony. Since early 2023, JaredFromSubway has extracted tens of millions of dollars from retail users, reportedly accounting for up to 70% of all sandwich attacks on Ethereum during peak periods.
The fallout is expected to drive intensive scrutiny toward automated trading infrastructure and the standard allowance models that keep Web3’s most aggressive searchers exposed.
Also Read: Taiko Urges Bridge Withdrawals After $1.7M Chain Verification Breach
