Ethereum MEV Bot JaredFromSubway Loses $7.5M in Exploit

The operator of jaredfromsubway, a well-known Ethereum trading bot, lost $7.5 million on Saturday after an exploit targeting the bot's transaction approval system. Security firm Blockaid reported that an attacker used fake tokens and fraudulent smart contracts to drain legitimate funds from the bot. The exploit occurred against a bot that has gained notoriety for conducting sandwich attacks—a form of market manipulation on decentralized exchanges involving trades placed around pending transactions to profit at others' expense.

Attacker Exploited Approval Logic With Fake Tokens

Blockaid explained that the attacker presented jaredfromsubway with misleading trading opportunities that later allowed the bad actor to drain funds. The bot is designed to continuously scan for profitable trades and occasionally grants entities permission to move funds on its behalf to execute those trades. According to Blockaid, some transactions that jaredfromsubway engaged in revoked those permissions immediately after completion, while attacker-crafted transactions did not. "That left attacker-controlled spenders armed," Blockaid stated in an X post. The scheme involved fake tokens and fraudulent smart contracts that exploited this approval mechanism.

Operator Offers 50% Bounty and Threatens Legal Action

In an on-chain message following the Saturday attack, the bot's operator offered a "50% white hat bounty" for the return of 2,150 Ethereum, currently valued at roughly $3.7 million, within 48 hours. The operator threatened to pursue legal remedies and involve law enforcement if the funds were not returned within that timeframe.

Stolen Funds Deposited to Tornado Cash

Security firm PeckShield noted in an X post that the attacker began covering their tracks after the exploit. After stealing wrapped Ethereum and stablecoins, a portion of the funds was swapped and partially deposited in Tornado Cash, a common resource for attackers trying to obscure the flow of ill-gotten gains.

FAQ

What happened to the jaredfromsubway bot on Saturday? The jaredfromsubway bot lost $7.5 million on Saturday after an attacker exploited its transaction approval logic using fake tokens and fraudulent smart contracts, according to security firm Blockaid.

What did the jaredfromsubway operator offer after the exploit? The operator offered a 50% white hat bounty for the return of 2,150 Ethereum (approximately $3.7 million) within 48 hours and threatened to pursue legal action and involve law enforcement if the funds were not returned.