On Saturday, June 21, one of crypto's most notorious MEV bots lost over $7.5 million. Jaredfromsubway.eth spent years attacking DeFi traders on Ethereum through sandwich attacks. This time, an attacker built the exact same trap for it and drained everything in a single transaction.
What is Jaredfromsubway.eth and how did it make millions?
MEV, short for maximal extractable value, is profit extracted from a blockchain by manipulating the order of transactions. Before a transaction is confirmed, it sits in the mempool, a waiting area on network nodes visible to all participants. MEV bots scan this queue and insert their own transactions before or after others to capture price differences.
The most common technique is the sandwich attack. A bot spots a large token purchase, buys the same token first, waits for the original transaction to push the price up, then sells for a profit. The victim pays more than expected. Everything happens within a single block, in milliseconds.
Jaredfromsubway.eth was the dominant bot of its kind. According to Cointelegraph Research, it was behind 70% of all sandwich attacks on Ethereum between November 2024 and October 2025. That amounts to 60,000 to 90,000 attacks per month, with trader losses exceeding $60 million per year. In May 2026, even Ethereum co-founder Vitalik Buterin was sandwiched by it while swapping DigitalBits tokens. The losses were tiny, but the story spread quickly.
How the attacker spent weeks building the trap
Nobody cracked the bot overnight. The setup took several weeks.
According to Blockaid, which first detected the incident, the attacker gradually deployed 66 fake token contracts. Each one mimicked the name and interface of a real asset: Wrapped ETH (WETH), USDT, or USDC. Alongside those, the attacker created fake liquidity pools designed to look like profitable trades for MEV strategies.
The goal was to get the bot to approve spending of its real funds on behalf of the attacker's helper contracts. MEV bots are programmed to interact automatically with any contract that looks like a profitable arbitrage opportunity. There is no reputation check in their logic. The bot handed over the approvals without realizing it was walking into a trap.
One transaction, 66 backdoors: how it played out
The actual attack was fast. Once all 66 contracts had accumulated the bot's approvals, the attacker sent a single transaction that triggered all 66 backdoors at once. ETH, USDC, and USDT moved to the attacker's addresses within seconds. Part of the stolen funds was soon routed through Tornado Cash.
Blockaid CTO Raz Niv described the attack: "This is not a classic phishing attack and not a traditional smart-contract vulnerability in the victim contract. It is a counter-MEV honeypot attack targeting the automated, trust-minimized decision-making logic that MEV bots use." The bot's own mechanisms worked against it.
Here is how the attack unfolded:
- Setup (several weeks): the attacker gradually deployed 66 fake contracts mimicking WETH, USDC, and USDT by name and interface
- Each fake token was paired with an artificial liquidity pool designed to look like genuine arbitrage
- The bot interacted with the fakes automatically and granted the attacker's helper contracts the right to spend real funds
- Final strike (one transaction): all 66 backdoors triggered simultaneously, funds drained
- Stolen funds partially routed through Tornado Cash
What does this mean for DeFi traders?
The crypto community's reaction was mixed. Traders who had lost money to sandwich attacks over the years expressed open satisfaction. Investor David Gokhshtein wrote: "We shouldn't be happy about this... but if you've ever been sandwiched by this bot, you're not upset about this news."
From a technical angle, this incident opens a new chapter in MEV competition. Counter-MEV attacks have been discussed in theory, but this case proved they work in practice. Operators of similar bots now have reason to audit which contracts their systems interact with automatically and what permissions they grant.
For regular DeFi users, the direct threat is minimal. But if you approve third-party contracts or run automated strategies, it is worth checking those approvals periodically. Ethereum remains an open network where attacks and defenses are equally available to anyone who builds them.
Comments
Your email address will not be published. Required fields are marked *