The Jaredfromsubway MEV bot, linked to approximately 70% of Ethereum sandwich attacks, lost more than $7.5 million in allocation leaks after its automated system allowed attacker-controlled contracts to spend its tokens.
The bot, known as Jaredfromsubway.eth, approved a series of transactions that appeared to be part of profitable trade routes. These permissions remained active, allowing the attacker to remove wrapped ether and two major stablecoins from contracts associated with the operation.
The incident effectively caused one of Ethereum’s largest mining trading systems to approve its own theft. It also highlights a vulnerability faced by automated traders who must assess markets, authorize contracts and execute trades in seconds.
Onchain security firm Blockaid said the attacker did not compromise the bot’s private keys or exploit a flaw in a widely used decentralized financial protocol. Instead, the operation targeted the rules used by the robot to identify and pursue potential profits.
How Jaredfromsubway.eth was dumped
According to Blockaid, the attacker had spent several weeks deploying imitation tokens, liquidity pools, and support contracts that looked like markets the bot might normally trade on.
The fake assets included wrapped versions of Ethereum, USDC, and USDT, combined via trade routes designed to generate profitable-looking signals. Jaredfromsubway.eth detected these routes and followed its usual process of allowing support contracts to move tokens as part of expected transactions.
Some early transactions used the permissions as intended, helping to establish a pattern that the bot’s system continued to accept. Subsequent transactions left the approvals unused.
This distinction gave the attacker an opening through ERC-20 approvals, which allow another address or smart contract to spend a specified amount of tokens owned by the approver account.
The authorization may remain available after the initial transaction unless exhausted, reduced or revoked.
Once the attacker had accumulated enough unspent allocations, contracts used ERC-20. transferFrom function to move real WETH, USDC and USDT from bot accounts.
On-chain records show repeated transfers totaling approximately 92 WETH, 143,000 USDC, and 149,000 USDT from a contract linked to the bot. The funds were directed to an address controlled by the attacker.
Yearn Finance developer Banteg described the final operation as an allocation leak rather than a conventional token swap. A coordination contract called a withdrawal function on dozens of subsidiary contracts, which checked the robot’s balances and their remaining permissions before transferring available tokens.
A portion of the profits were then sent through Tornado Cash, a crypto-mixing service that can make funds more difficult to trace.
A dominant sandwich operator becomes the target
Jaredfromsubway.eth has been operational since 2023 and has become one of the most important players in the Ethereum market for maximum extractable value (MEV).
MEV refers to revenue generated by changing the order in which blockchain transactions are processed. In a sandwich attack, a bot identifies a pending transaction and first buys the asset, thereby driving up its price. The user’s transaction then executes at the least favorable price before the robot sells, capturing the difference.
This made Jaredfromsubway.eth one of Ethereum’s most visible sandwich attack bots before the same automation became the path to its own funds.
The loss for any individual trader may be small. However, over tens of thousands of trades, the strategy can generate substantial revenue while increasing trading costs and network fees.
According to reports, these attacks imposed an estimated $60 million in annual costs on merchants, while approximately 70% were associated with a single operator identified as Jaredfromsubway.eth.
