jaredfromsubway.eth drained of $7.5M in multi-week approval trap

jaredfromsubway.eth, Ethereum's most-watched MEV sandwich bot, lost $7.5 million on June 20 after an attacker spent several weeks engineering a trap the bot had no means to detect. The sweep pulled 1,474.58 WETH, approximately 2.87 million USDC, and 2 million USDT from addresses it controlled, according to BeInCrypto.

The attack reversed a familiar dynamic. jaredfromsubway.eth has operated for years as the aggressor on Ethereum, front-running ordinary users by inserting transactions around theirs to extract value. A more patient adversary turned that same logic back on the bot, using a trap the bot's own code could not distinguish from a real MEV route.

The attacker deployed 66 counterfeit ERC-20 contracts designed to look like profitable MEV routes. Each interaction produced a token-transfer approval, giving attacker-controlled contracts standing permission to move real WETH, USDC, and USDT. Early interactions exercised those approvals immediately, leaving no obvious trace; later ones let approvals accumulate. After 97 blocks, per Protos, a single sweep collected everything. Blockchain security firm Blockaid, which flagged the drain through its Exploit Detection system, described the attack as "not a classic phishing attack and not a traditional smart-contract vulnerability in the victim contract," per crypto.news.

After the sweep, the attacker consolidated proceeds to approximately 4,427 ETH and deposited 1,000 ETH into Tornado Cash, according to BeInCrypto. Blockaid CTO Raz Niv called it "a counter-MEV honeypot attack" that "specifically targeted the automated, trust-minimized decision-making logic that MEV bots utilize," per CoinCodeCap. The bot operator claimed $15 million in losses; Blockaid calculated $7.5 million from the token quantities stolen.