JaredFromSubway Ethereum MEV Bot Drained of $15 Million in Sophisticated DeFi Heist
An attacker tricked the JaredFromSubway Ethereum MEV bot into approving $15 million in withdrawals by injecting fake trading opportunities that exploited the bot's automated arbitrage logic.
The JaredFromSubway Ethereum MEV (Maximal Extractable Value) bot suffered a $15 million loss after an attacker manipulated its opportunity-detection logic by creating fake cryptocurrency trading opportunities. The drain was detected on Saturday by blockchain security firm Blockaid, and JaredFromSubway confirmed that the attacker used fake pools and tokens to trick the bot into approving helper contracts.
According to Blockaid, the attacker deployed contracts designed to appear as profitable MEV opportunities to JaredFromSubway's automated execution system. The bot automatically analyzed routes and trade opportunities that seemed financially rewarding, then generated the transactions needed to execute them, granting ERC-20 token approvals to contracts controlled by the attacker. The attacker planned the heist carefully, with early transactions serving as harmless tests to confirm the bot's action routines before changing the route so that the allowance was not consumed or revoked after the bot granted approvals.
The attacker accumulated valid spending permissions without immediately using them, reaching up to 92.1614 WETH approved to an attacker-controlled helper contract. Finally, the attacker used the open approvals to withdraw WETH, USDC, and USDT from the JaredFromSubway MEV bot contract via the transferFrom function. MEV bots are ultra-fast automated trading systems that scan Ethereum and other blockchains for opportunities to make money by exploiting the order and timing of transactions before they are included in a block.
JaredFromSubway is a private MEV operation with no publicly available code, known as one of Ethereum's most aggressive and visible "sandwich"-bot operations. In a sandwich attack, the bot detects a user's pending trade, places a buy order immediately before it, and then sells immediately afterward, profiting from the price movement caused by the victim's transaction. The practice is controversial because it often results in worse prices for regular traders while generating profits for the bot operator.
Initially, JaredFromSubway offered a $3 million bounty to the attacker for the full return of the stolen funds, promising no further action would be taken. After receiving no response, JaredFromSubway increased the bounty to $7.5 million for the return of just 50% of the stolen amount, with $1 million to be given to the community. JaredFromSubway is also negotiating with "a white-hat hacking group" on the stolen $15 million but there is no confirmation of a deal yet.
This incident highlights the vulnerability of MEV bots to adversarial manipulation of on-chain data and transaction ordering. While MEV bots are designed to profit from market inefficiencies, their automated trust in on-chain signals makes them susceptible to carefully crafted traps. The attack underscores the broader risks in decentralized finance, where automated smart contract interactions can be weaponized against their operators, and serves as a cautionary tale for the growing ecosystem of algorithmic trading bots on Ethereum.