MEV bot jaredfromsubway drained in $7.5M honeypot
An attacker tricked the jaredfromsubway.eth MEV bot into approving malicious contracts and drained about $7.5 million in WETH, USDC and USDT in a single sweep.
On Saturday at 18:49 UTC, onchain analysts flagged a multi-million-dollar outflow from a wallet tied to the jaredfromsubway.eth MEV bot. Security firm Blockaid traced the activity to attacker-controlled contracts and estimated the stolen assets at about $7.5 million.
The single transaction moved 1,474.58 WETH, roughly 2.87 million USDC and about 2 million USDT, and the attacker converted the proceeds into roughly 4,427 ETH.
Blockaid's analysis shows the attacker deployed 66 counterfeit token contracts that imitated WETH, USDC and USDT, then paired them with fake liquidity pools so the bot's route-finding logic would treat the paths as profitable.
The attacker induced the bot’s execution system to grant approvals to helper contracts under attacker control. In small test runs those helper contracts behaved like normal wrappers and consumed allowances inside the trade. In larger bait transactions the same child-contract pattern left approvals open. The bot’s developer, using the name banteg, described that behavior as a ‘block-armed switch'.
Forensic traces identified 16 live WETH allowances of about 92.16 WETH each, matching the 1,474.58 WETH swept in the final operation. A coordinator contract then called a withdraw function on 66 child contracts at once; each child pulled the bot’s balance up to its open allowance and forwarded funds to the attacker.
The attacker swapped assets onchain and deposited 1,000 ETH into the mixer Tornado Cash. Onchain tracking shows the receiving account was an EIP-7702-delegated account, a feature from Ethereum's 2025 Pectra upgrade that allows a standard wallet to execute contract code.
Blockaid determined the incident was not a phishing attack, a private-key compromise or a flaw in a widely used DeFi protocol, and concluded the attacker induced the bot to grant approvals that were later exploited.
An X account using the jaredfromsubway.eth name posted a claim the bot lost $15 million and offered a $1 million bounty. Analysts flagged that account as an impersonator; public tracing has so far followed roughly $7.5 million in stolen assets.
The jaredfromsubway.eth bot has run sandwich strategies since early 2023 and is tagged onchain as ‘jaredfromsubway: MEV Bot 2'. A 2024 variant processed more than 85,000 transactions and its operator at one point ranked as the network's largest daily gas spender. In May the bot front-ran a small swap by Ethereum co-founder Vitalik Buterin, committing over $1.14 million in WETH to sandwich a trade worth a few dollars.
Investigators have not publicly identified the attacker, and it remains unclear whether other bots or funds were affected. Security teams and onchain analysts continue to monitor the addresses and contracts linked to the incident.
The content on The Coinomist is for informational purposes only and should not be interpreted as financial advice. While we strive to provide accurate and up-to-date information, we do not guarantee the accuracy, completeness, or reliability of any content. Neither we accept liability for any errors or omissions in the information provided or for any financial losses incurred as a result of relying on this information. Actions based on this content are at your own risk. Always do your own research and consult a professional. See our Terms, Privacy Policy, and Disclaimers for more details.








