CoinDesk
An attacker drained more than $7.5 million from jaredfromsubway.eth, the automated trading bot credited with roughly 70% of Ethereum's sandwich attacks, by weaponising the bot's own approval logic rather than exploiting a contract bug or phishing the operator. Security firm Blockaid said the attacker spent several weeks seeding dozens of fake token contracts and liquidity pools that mimicked WETH, USDC and USDT, luring the bot into generating open token-spend approvals for attacker-controlled helpers. Those standing permissions were then used to pull funds directly from the bot's contracts, with a portion of the proceeds later routed through Tornado Cash.
Why it matters
Sandwich attacks — where a bot spots a pending trade, buys ahead of it, lets the victim fill at a worse price, and sells immediately after — are a textbook form of maximal extractable value (MEV) and a quiet tax on Ethereum users. CoinDesk data put the cost at roughly $60 million a year across 60,000 to 90,000 attacks per month between November 2024 and October 2025, with jaredfromsubway.eth responsible for the lion's share since early 2023. Saturday's incident flips the script: the same pattern-recognition, machine-speed behaviour that made the bot profitable against human traders made it vulnerable against a patient adversary who knew exactly which signals the bot was wired to chase.
Market impact
The exploit is unlikely to dent Ethereum's spot liquidity or pricing, but it changes the threat model for every automated market-maker and MEV operator running on the chain. Approvals that stay open after a swap — rather than being consumed and revoked inside the same transaction — are now a documented attack surface, and the Tornado Cash leg ensures at least part of the haul is already laundered through privacy rails that frustrate recovery. For retail users, the read is sharper: the bot that sandwiched Vitalik Buterin for $4 in May was running the same approval patterns as every other opportunistic contract on-chain, and on Saturday those patterns were aimed back at it.
Frequently asked questions
-
What happened to jaredfromsubway.eth on Saturday?
An attacker drained more than $7.5 million from the bot by luring it into approving token-spend permissions for attacker-controlled helper contracts, then using those open approvals to pull WETH, USDC and USDT directly from the bot's contracts. Some of the funds were later routed through Tornado Cash.
-
How did the attacker trick the sandwich bot?
According to Blockaid, the attacker spent several weeks deploying dozens of fake token contracts and fake liquidity pools that mimicked assets like WETH, USDC and USDT. When the bot spotted what looked like MEV opportunities, it generated approvals to attacker-controlled helpers; some of those approvals stayed open…
-
How big is jaredfromsubway.eth in Ethereum's MEV market?
The bot has been active since early 2023 and has been linked to roughly 70% of Ethereum's sandwich attacks. Between November 2024 and October 2025 those attacks cost Ethereum traders around $60 million a year, running 60,000 to 90,000 incidents per month.
-
What is a sandwich attack?
A sandwich attack is a form of maximal extractable value (MEV) in which an automated trader spots a pending transaction, buys the asset just before it, lets the victim trade at a worse price, then sells immediately after — capturing a small spread at the user's expense.
-
What does this exploit mean for other MEV bots on Ethereum?
It turns open, post-trade token approvals into a confirmed attack surface. Automated market-makers and MEV operators that grant spend permissions to helper contracts now have a documented reason to revoke or tightly scope those approvals inside the same transaction, rather than leaving them standing.
Lookonchain
WuBlockchain
TheBlock
CoinTelegraph