An advanced attacker has successfully exploited a vulnerability in the automated trading system of jaredfromsubway.eth, a prominent Maximal Extractable Value (MEV) bot known for conducting sandwich attacks on the Ethereum network. The exploit, which occurred on Saturday, resulted in the drain of approximately $7.5 million worth of WETH, USDC, and USDT from the bot’s operational wallet. Security firm Blockaid identified the method as a sophisticated honeypot scheme rather than a direct phishing attack or a compromise of widely used DeFi protocols.
Key Takeaways
- A sophisticated attacker exploited jaredfromsubway.eth, a major Ethereum MEV bot, draining approximately $7.5 million in digital assets.
- The attack involved the attacker deploying counterfeit token contracts and fake liquidity pools to trick the bot into approving unauthorized contract access.
- The stolen funds were consolidated into approximately 4,427 ETH, with a portion routed through the privacy mixer Tornado Cash.
- An unverified social media account impersonating the bot has claimed a larger loss and offered a bounty, but evidence suggests this is an impersonation.
- This incident highlights the evolving tactics in MEV exploitation and the inherent risks within automated high-frequency trading on public blockchains.
The jaredfromsubway.eth bot, recognized by Etherscan as “jaredfromsubway: MEV Bot 2,” has been a significant participant in the Ethereum MEV landscape since early 2023. Its operations involve sandwich attacks, where traders place buy and sell orders on either side of a pending transaction to profit from the price impact. The attacker’s strategy reportedly involved creating 66 counterfeit token contracts mimicking popular assets like WETH, USDC, and USDT, alongside fabricated liquidity pools. These deceptive setups were designed to appear as lucrative trading opportunities to the bot’s automated system.
According to Blockaid, the bot’s execution system was induced to grant token approvals to attacker-controlled helper contracts. These approvals, seemingly consumed in small test transactions that yielded minor profits, remained active for larger, bait transactions. A detailed forensic report by developer banteg described the mechanism as a “block-armed switch.” In small, “unarmed” test batches, the contracts behaved as expected, offering small real profits. However, in larger, “armed” batches, the same contract design acted as a fake mint, leaving the approvals in place without consuming the bot’s actual funds. The final drain occurred when a coordinator contract initiated a “withdraw” function across multiple child contracts, each siphoning the bot’s balance up to the limit of its outstanding approval and forwarding it to the attacker’s address.
Onchain tracker Lookonchain reported that the attacker converted the stolen assets into approximately 4,427 ETH, valued at roughly $7.7 million. Further analysis indicated that 1,000 ETH of these funds were subsequently sent to Tornado Cash, a sanctioned cryptocurrency mixer known for obscuring transaction origins. The recipient address utilized in this operation was identified as an EIP-7702-delegated account, a feature associated with Ethereum’s upcoming Pectra upgrade, which allows standard wallets to execute contract code.
Potential Regulatory Precedent and Precedents
While this incident primarily involves the complex, often legally gray area of MEV bot exploitation, it underscores broader concerns about the security and integrity of decentralized finance (DeFi) operations. The sophistication of the attack, involving the creation of deceptive smart contracts and the manipulation of token approval mechanisms, highlights the need for enhanced security auditing and risk management within automated trading systems. From a regulatory standpoint, such exploits, particularly when they involve significant sums and the use of privacy tools like Tornado Cash, could attract increased scrutiny from financial regulators worldwide. While direct regulatory frameworks for MEV bots are still nascent, the potential for large-scale asset theft and evasion of financial monitoring could influence future policy decisions. Global regulatory initiatives, such as the European Union’s Markets in Crypto-Assets (MiCA) regulation, aim to establish clearer rules for crypto-asset service providers, which may eventually encompass entities involved in high-frequency trading and MEV extraction, although the current focus is more on market integrity and consumer protection.
An X account operating under the handle @jaredsmev, using the jaredfromsubway.eth name, posted claims of a $15 million loss and offered a $1 million bounty for the funds’ recovery. However, multiple onchain commentators and security analysts have identified this account as a likely impersonator. The account’s history of username changes and promotional content, including token shilling and giveaways, has raised doubts about its authenticity. The Block has not found any verifiable link between this account and the actual bot operator, and security firms have not corroborated losses exceeding the approximately $7.5 million drained. The true operator of the jaredfromsubway.eth bot remains pseudonymous and has not issued a verified public statement.
The jaredfromsubway.eth bot has been a notable figure in the Ethereum MEV ecosystem. A subsequent iteration, “Jared 2.0,” emerged in 2024, processing a substantial number of transactions and at one point ranking as Ethereum’s largest daily gas spender. The bot previously gained attention in May for executing a costly front-run on a small transaction made by Ethereum co-founder Vitalik Buterin, committing over $1.14 million in WETH for a trade valued at only a few dollars. As of the time of this report, the attacker’s identity remains unknown, and it is unclear if other contracts or funds were affected by this exploitation.
According to the portal: www.theblock.co