Leading MEV bots, Jaredfromsubway.eth, has been drained of more than $7.5 million, as per reports.
According to security firm Blockaid, the attacker constructed a false MEV arbitrage path that induced the bot to automatically generate token authorizations. Once those authorizations went unrevoked, the attacker used them to transfer WETH, USDC, and USDT directly out of the bot’s contract, with the funds ultimately landing in the attacker’s wallet.
“This is not a classic phishing attack and not a traditional smart-contract vulnerability in the victim contract,” Blockaid said on X.
Blockaid CTO Raz Niv offered more detail on the mechanics behind the breach. “This was a counter-MEV honeypot attack, as it specifically targeted the automated, trust-minimized decision-making logic that MEV bots utilize,” Niv told Cointelegraph.
Over several weeks, the attacker deployed 66 fake token contracts designed to mimic the names and interfaces of WETH, USDC, and USDT, pairing them with fake liquidity pools, according to Niv. The setup was built to look like the kind of profitable trade opportunities MEV bots are programmed to chase, which lured Jaredfromsubway’s bot into doing exactly what it was designed to do: approving attacker-controlled helper contracts to spend funds on its behalf.
“Ironically, in the process, it provided the attacker the keys to millions in the bot’s treasury,” Niv said. “And then in a single transaction, the attacker called all 66 backdoors and swept all the ETH, USDC, and USDT at these addresses, amounting to millions of dollars.”
Blockaid said the attacker initially tested routes where approvals were used immediately, leaving no lingering allowance, before shifting the route design so the bot would issue approvals that went unspent and unrevoked. One example cited by Blockaid involved an approval of roughly 92.16 WETH to an attacker helper contract. Etherscan data for the transaction showed jaredfromsubway.eth interacting with its MEV Bot 2 contract ahead of the later sweep, with ERC-20 movements tied to the same automated route.
The final transaction exploited those open approvals to pull WETH, USDC, and USDT from the JaredFromSubway MEV bot contract through transferFrom. Etherscan records show transfers from “jaredfromsubway: MEV Bot 2” to an attacker wallet beginning with 0x3e37.
MEV bots like Jaredfromsubway.eth operate by monitoring unconfirmed transactions across blockchain networks and reordering them to extract profit, functioning as a kind of invisible tax on DeFi users.
Blockaid put the total drained amount at approximately $7.5 million. The JaredFromSubway account later claimed the loss was actually $15 million and offered a $1 million bounty for the full return of the funds.
Onchain data shows some of the stolen funds have already been routed through crypto mixing service Tornado Cash. In May, Ethereum co-founder Vitalik Buterin was sandwich attacked by the same bot while swapping 26,544 DigitalBits tokens.
