The JaredFromSubway Ethereum MEV (Maximal Extractable Value) bot reportedly suffered a $15 million loss after an attacker manipulated its opportunity-detection logic by fabricating profitable-looking crypto trades. The exploit was first identified on Saturday by blockchain security firm Blockaid, and has since been acknowledged by JaredFromSubway, which confirmed that fake pools and tokens were used to deceive the system into approving malicious helper contracts.
According to Blockaid, the attacker deployed a series of smart contracts designed to convincingly mimic high-value MEV opportunities. The bot’s automated system analyzed these decoy routes as legitimate, generated execution transactions, and granted ERC-20 token approvals to attacker-controlled contracts in the process. Early activity in the attack appeared to function as testing, helping the attacker validate the bot’s decision-making behavior before escalating the exploit.
Over time, the attacker refined the setup so that approved allowances were not immediately consumed or revoked. This allowed them to quietly accumulate spending permissions—eventually reaching approximately 92.1614 WETH approved to a malicious contract. Once sufficient permissions were in place, the attacker drained assets including WETH, USDC, and USDT using the transferFrom function.
MEV bots like JaredFromSubway operate as high-speed automated trading systems that scan blockchain activity for profit opportunities, often exploiting transaction ordering effects in so-called “sandwich attacks,” where trades are front-run and back-run for profit. In response to the breach, JaredFromSubway initially offered a $3 million bounty for the return of funds, later increasing it to $7.5 million for the return of half the stolen amount, plus a $1 million community allocation. The team is also reportedly in talks with a white-hat group, though no agreement has been confirmed.
