JaredFromSubway MEV bot loses $15M to its own tactics
Key Takeaways
- Attacker tricked JaredFromSubway into granting token approvals to malicious contracts by simulating profitable MEV opportunities
- The bot operator offered bounties up to $7.5M for partial fund recovery, with no confirmed response
- The exploit highlights how automated MEV extraction systems can become targets themselves
JaredFromSubway, one of Ethereum's most profitable and despised MEV bots, lost $15 million on Saturday after an attacker turned the bot's own extraction logic against it. The attacker deployed fake token pools and contracts that mimicked legitimate trading opportunities, tricking the bot into granting spending permissions that were later used to drain its funds.
Blockchain security firm Blockaid detected the drain and reported that the attacker's contracts were designed to appear as profitable MEV opportunities to JaredFromSubway's automated execution system. The bot, which runs without human oversight, analyzed the fake routes, deemed them financially rewarding, and granted ERC-20 token approvals to attacker-controlled contracts.
How the attacker exploited the bot's approval system
The attack was methodical. Early transactions were harmless tests, confirming how JaredFromSubway's execution routines responded. Once the attacker understood the bot's behavior, they modified the attack routes so that token approvals were not consumed or revoked after being granted.
This allowed the attacker to accumulate valid spending permissions. Before executing the final drain, the attacker had secured approval for up to 92.1614 WETH from the bot's contract. With these permissions in place, the attacker used the transferFrom function to withdraw WETH, USDC, and USDT from JaredFromSubway's holdings.
JaredFromSubway confirmed the attack vector on Sunday, stating that fake pools and tokens were used to trick the bot into approving helper contracts.
Why this bot attracted so much attention
JaredFromSubway is not a random DeFi protocol. It's a private MEV operation with no publicly available code, known for aggressive "sandwich" attacks on Ethereum. The bot's strategy is straightforward: detect a user's pending trade, place a buy order immediately before it, then sell immediately after. The user gets a worse price; the bot pockets the difference.
This practice has made JaredFromSubway one of the most controversial actors in Ethereum's transaction supply chain. MEV researchers estimate the bot extracted over $30 million from regular users in 2023 alone. The irony of this attack is not lost on the crypto community: a predatory bot was outmaneuvered by a more sophisticated predator using essentially the same playbook.
Bounty negotiations have stalled
JaredFromSubway initially offered the attacker $3 million to return all stolen funds, promising no further action. When that received no response, the bounty jumped to $7.5 million for just 50% of the stolen amount, with $1 million pledged to the community.
The operator also claims to be negotiating with a white-hat hacking group, though no deal has been confirmed. The escalating bounties suggest JaredFromSubway has limited options for recovery. On-chain, the attacker holds the cards.
What this reveals about MEV bot security
MEV bots operate in a hostile environment by design. They profit by exploiting timing and information asymmetries in public mempools. But the same automation that enables speed also creates attack surface. A bot that approves contracts without human review can be manipulated by anyone who understands its decision logic.
JaredFromSubway's code is private, but its behavior is observable on-chain. The attacker spent time studying how the bot responded to different contract structures before deploying the real attack. This is reconnaissance in the traditional security sense, just applied to smart contract systems.
The lesson for other MEV operators: speed and automation are competitive advantages until they become vulnerabilities. Any system that grants token approvals without revocation checks or time-based limits is exposed to accumulation attacks like this one.
Logicity's Take
JaredFromSubway's loss inverts the usual crypto hack narrative. This wasn't a protocol with innocent users getting drained. It was a bot that built its fortune extracting value from regular traders, now outplayed by someone who understood its logic better than its operators did. The attacker's patience, testing small transactions before the real strike, mirrors the careful timing analysis MEV bots use against their own targets. Whether the attacker returns any funds is secondary to the larger point: MEV extraction is an arms race, and any system that automates financial decisions without robust safeguards will eventually meet someone who can exploit that automation.
Frequently Asked Questions
What is JaredFromSubway?
JaredFromSubway is a private MEV bot on Ethereum known for sandwich attacks, where it front-runs user trades to profit from the price movement it causes. It has extracted tens of millions from regular traders.
How did the attacker steal $15 million from the MEV bot?
The attacker created fake token pools that appeared as profitable trading opportunities. JaredFromSubway's automation granted token approvals to attacker-controlled contracts, which accumulated permissions until the attacker drained the funds.
Why didn't JaredFromSubway's systems detect the fake opportunities?
The bot evaluates transactions for profitability, not authenticity. The attacker's contracts were designed to pass profitability checks while setting up permissions that could be exploited later.
Will the stolen funds be recovered?
JaredFromSubway has offered bounties up to $7.5 million and claims to be negotiating with white-hat groups, but no recovery has been confirmed. The attacker has not responded publicly.
What does MEV mean in crypto?
Maximal Extractable Value refers to profits that can be captured by reordering, inserting, or censoring transactions within a block. MEV bots exploit this by front-running or sandwiching user trades.
Another recent exploit targeting automated systems with security implications
Need Help Implementing This?
If you're building automated trading systems or smart contracts that handle token approvals, security audits are not optional. Contact our team at Logicity for guidance on blockchain security best practices and threat modeling for DeFi applications.
Source: BleepingComputer
Huma Shazia
Senior AI & Tech Writer
Related Articles
Browse all
Kraken Crypto Exchange Extortion: Hackers Threaten to Leak Internal Videos After Insider Breach
Cryptocurrency exchange Kraken is being extorted by hackers who obtained videos of internal systems through bribed support employees. The company says no funds were compromised and refuses to pay, with only about 2,000 accounts affected. Kraken is working with federal law enforcement to prosecute everyone involved.
Windows 11 KB5083769 and KB5082052: April 2026 Patch Tuesday Brings Smart App Control Changes and Security Fixes
Microsoft's April 2026 Patch Tuesday updates are now live for Windows 11, bringing critical security patches alongside a welcome change to Smart App Control. You can finally toggle SAC on or off without wiping your entire system. The updates cover versions 23H2, 24H2, and 25H2.
Zero Trust Identity Security: 5 Ways This Framework Actually Stops Credential Theft
Stolen credentials caused 22% of breaches in 2025, making them the top attack vector. Zero Trust promises to fix this, but only when it's built around identity as the core principle. Here's how organizations can implement it properly.
Open Source PR Backlogs: Why Your GitHub Contribution Sits Unreviewed for a Year
A developer's Jellyfin pull request has been waiting over a year for merge despite two approvals, exposing a systemic crisis in open source maintenance. Queuing theory explains why backlogs grow exponentially, and 60% of maintainers have quit or considered quitting due to burnout.
