Jaredfromsubway.eth made its name by preying on Ethereum traders. On June 20, someone used the same speed and greed against it, draining more than $7.5 million in ETH.
If you've ever had a trade sandwiched on Ethereum, you know the feeling: the transaction clears, the price has moved against you, and some bot has taken a thin slice from the middle. Jaredfromsubway.eth did that at industrial scale for years. Now the best-known sandwich bot in crypto has been baited, approved, and drained.
According to CoinTelegraph's report on the incident, the attacker did not need a dramatic zero-day exploit. Blockaid chief technology officer Raz Niv described it as a counter-MEV honeypot built over several weeks. The attacker deployed 66 fake token contracts that copied the interfaces and names of assets such as Wrapped ETH, USDC and USDT, then paired them with counterfeit liquidity pools. To an ordinary person, that sounds like a mess of lookalike contracts. To an MEV bot, it looked like money lying on the floor.
Jaredfromsubway.eth went after the bait and granted token approvals. Once those approvals existed, the attacker had the opening they needed. The largest reported transfer moved 1,423 ETH, worth about $2.46 million at the time, on June 20. CoinTelegraph reported that some of the funds were later routed through Tornado Cash.
Blockaid was careful about the mechanics, and the distinction matters. "This is not a classic phishing attack and not a traditional smart-contract vulnerability in the victim contract," Niv said. The bot wasn't tricked through a wallet popup, and the attacker didn't simply find a bug in a victim contract. The trap worked because Jaredfromsubway.eth behaved exactly as an aggressive MEV system is built to behave: it scanned, moved fast, touched unfamiliar contracts and left approvals behind.
That's the uncomfortable part for anyone building autonomous trading infrastructure. Speed is not a side feature of MEV. It's the product. These bots live by reading pending transactions, finding a profit window and acting before anyone else can close it. But when a system is designed to touch strange contracts at high speed, you don't get to act surprised when a stranger builds a contract specifically for you.
Sandwich attacks are simple in outline and ugly in practice. A bot spots a pending swap in Ethereum's mempool, buys before the trader's transaction to push the price up, lets the trader execute at the worse price, then sells immediately after. The victim pays more. The bot keeps the spread. Jaredfromsubway.eth became notorious because it did this constantly, with the article's reported figures putting it at roughly 70% of Ethereum sandwich attacks from late 2024 through 2025.
The money involved was not small. The bot reportedly earned tens of millions of dollars from sandwiching, including about $40 million in one three-month stretch. CoinDesk also noted in May that it front-ran a token swap by Vitalik Buterin, processing $1 million in volume on that trade. You don't need to romanticize the attacker to understand why many Ethereum users will see this drain as rough justice.
Still, don't confuse satisfaction with a solution. A honeypot that catches one bot does not clean up MEV, protect retail traders, or fix public mempool design. It proves something narrower and more useful: extractive bots have their own attack surface. Jaredfromsubway.eth was hunting predictable behavior in other people's trades, and the attacker hunted predictable behavior in Jaredfromsubway.eth.
That is why the dangling approvals matter more than the theater of the story. Any successor bot can add checks, revoke approvals more aggressively, maintain stricter allowlists, or avoid tokens and pools it cannot validate. But every extra check costs time, and time is exactly what MEV bots are built to spend as little of as possible. The tradeoff is right there in the design.
The Ethereum community often calls this environment the dark forest, where unprotected value is eventually noticed and taken. Jaredfromsubway.eth was one of the better-known predators in that forest. On June 20, it found out that predators have patterns too.
For DeFi users, the useful takeaway is not that the good guys won. We don't know who the attacker is, and routing drained ETH through Tornado Cash is not public service. The real point is plainer: on-chain automation is becoming adversarial in both directions. If your system signs approvals, chases unknown pools and assumes every profitable-looking path is real, someone patient enough can build a mirror and wait for you to run into it.
Also read: A USB stick is all it takes to empty your crypto wallet right now • Strategy held its Bitcoin through the 2022 collapse and built a $48 billion cushion, then sold 32 coins to pay a dividend • Bitcoin Standard Treasury launches with 30,000 BTC to challenge Michael Saylor's dominance in the corporate Bitcoin race
