An attacker drained jaredfromsubway.eth, one of the most active MEV "sandwich" bots on Ethereum, on Saturday by tricking its automated trading system into approving attacker-controlled contracts, according to onchain analysts.
Blockaid valued the assets traced to the attacker at roughly $7.5 million in WETH, USDC and USDT. The bot's operator is pseudonymous and has not made a verified public statement; in a 2023 interview, a representative from the bot claimed to have no public social media accounts.
The bot, tagged by Etherscan as "jaredfromsubway: MEV Bot 2," has sandwiched Ethereum traders since early 2023 and ranks among the network's most prolific MEV operators. Its name, a reference to disgraced Subway spokesman and convicted child sex offender Jared Fogle, is a sly callout to its practice of sandwich attacks, in which an automated trading bot places trades on both sides of a public transaction in order to artificially extract more value from users, a form of maximal extractable value or MEV.
The drain was first flagged on Saturday by onchain analyst Specter, who pointed to a $7 million-plus loss from a wallet tied to the bot. Onchain data showed the sweep ran at 18:49 UTC and moved 1,474.58 WETH, about 2.87 million USDC and roughly 2 million USDT to an attacker address in a single transaction.
Blockaid said the incident was not a phishing attack, a private-key compromise, or a flaw in a widely used DeFi protocol. The firm said attacker-controlled contracts induced the bot's execution system to grant token approvals that were later used to move funds.
Over several weeks, the attacker deployed 66 counterfeit token contracts that imitated WETH, USDC and USDT, then paired them with fake liquidity pools, according to Blockaid. To the bot, the routes resembled the profitable opportunities it is built to find.
The bot approved attacker-controlled helper contracts to spend its real tokens. In small test runs, the approvals were consumed inside the trade as expected, Blockaid said. In larger bait transactions, however, the attacker structured the routes so the approvals remained open.
A forensic report published Sunday by the pseudonymous developer banteg described the mechanism as a block-armed switch. The same child-contract design behaved like a normal, principal-consuming wrapper in small "unarmed" test batches that handed the bot small real profits, then acted like a fake mint in large "armed" batches that left its approvals untouched, the report said.
The report identified 16 live WETH allowances of about 92.16 WETH each, together matching the 1,474.58 WETH swept in the final drain.
The final transaction was a direct sweep rather than a trade. A coordinator contract called "withdraw" on 66 child contracts at once, each pulling the bot's balance up to its open allowance and forwarding it to the attacker.
The attacker swapped the stolen assets into about 4,427 ETH, worth roughly $7.7 million, and deposited 1,000 ETH into the formerly sanctioned mixer Tornado Cash, according to onchain tracker Lookonchain.
The report also flagged that the receiving address was an EIP-7702-delegated account, a feature from Ethereum's 2025 Pectra upgrade that lets a standard wallet run contract code.
An X account using the jaredfromsubway.eth name, with the handle @jaredsmev, posted that the bot had lost $15 million and offered a $1 million bounty for the return of the funds, asking tipsters to contact it privately. Several onchain commentators flagged the account as an impersonator rather than the bot's operator.
The account has changed usernames eight times, most recently this month, and carries a history of promotional posts, including a token shill and a giveaway offer, according to its public profile. The Block could not verify any link between the account and the bot, and no security firm has traced a loss larger than about $7.5 million.
The jaredfromsubway.eth bot has been one of the most recognizable names in Ethereum's MEV economy. A "Jared 2.0" version that surfaced in 2024 processed more than 85,000 transactions, and the operator at one point ranked as Ethereum's single largest daily gas spender.
In May, the bot drew attention for sandwiching a small swap by Ethereum co-founder Vitalik Buterin, committing more than $1.14 million in WETH to front-run a trade worth a few dollars.
The attacker's identity, and whether other contracts or funds were affected, remained unclear as of publication.
Disclaimer: The Block is an independent media outlet that delivers news, research, and data. As of November 2023, Foresight Ventures is a majority investor of The Block. Foresight Ventures invests in other companies in the crypto space. Crypto exchange Bitget is an anchor LP for Foresight Ventures. The Block continues to operate independently to deliver objective, impactful, and timely information about the crypto industry. Here are our current financial disclosures.
© 2026 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.
