The Jaredfromsubway.eth MEV bot, responsible for roughly 70% of sandwich attacks on Ethereum over the past year, was exploited for $7.5 million. An attacker used fake wrapper tokens to trick the bot into granting spending approvals, then drained 1,474.58 WETH, 2.87 million USDC and 2 million USDT from the contract. The proceeds were converted to roughly 4,400 ETH, with 1,000 ETH routed through TornadoCash.
The Jaredfromsubway.eth MEV bot lost $7.5 million after an attacker used fake wrapper tokens to trick the sandwich attack operator into granting spending approvals on Ethereum.
"The attacker exploited the bot's mechanism: its automated system detected what looked like profitable MEV opportunities and generated approvals to attacker-controlled helper contracts," blockchain security firm Blockaid said in an analysis of the exploit.
The attacker created fake wrapper tokens — fWETH, fUSDC and fUSDT — paired with a fake Cap token, designed to appear as profitable trades the bot would chase on Ethereum. Once the bot approved attacker-controlled helper contracts to spend real assets, the attacker conducted a "final sweep," pulling 1,474.58 WETH, 2.87 million USDC and 2 million USDT via transferFrom, according to Blockaid. The proceeds were converted to roughly 4,400 ETH, with 1,000 ETH routed through TornadoCash, PeckShield data shows.
The exploit of a bot that dominated Ethereum sandwich attacks — accounting for roughly 70% of such activity between November 2024 and October 2025 — highlights persistent security vulnerabilities in automated trading infrastructure, even among sophisticated operators. The $7.5 million loss may temporarily reduce sandwich attack volumes on Ethereum but raises broader questions about the safety of MEV strategies that rely on automated approval mechanisms.
The Jaredfromsubway.eth operator had been the most active sandwich attacker on Ethereum, targeting retail traders by inserting transactions before and after their swaps to extract value. The attacker's method exploited a fundamental design gap: in normal trades, the bot would use up approvals during the transaction. By crafting routes that left approvals open, the attacker accumulated enough spending authority to drain the contract in a single sweep.
Crypto commentator David Gokhshtein said on social media that while the exploit should not be celebrated, those who had been "sandwiched" by the bot may not be upset by the news. ETH traded at $1,741.21 as of the time of the exploit, above its 50-day exponential moving average of $1,725.59, according to market data.
This article is for informational purposes only and does not constitute investment advice.
