One of Ethereum’s most aggressive MEV bots just got taken for $15 million. JaredFromSubway — known for its controversial “sandwich” trading strategy — was drained after an attacker figured out how to trick its automated detection system.
Blockaid spotted the drain on Saturday. The attacker deployed fake token pools and trading routes that looked like profitable MEV opportunities. The bot’s automation did what it always does: analyzed the routes, approved the helper contracts, and granted ERC-20 token allowances.
But the approvals never got consumed. The attacker accumulated spending permissions over time — eventually reaching over 92,000 WETH approved to a single contract — then swept WETH, USDC, and USDT from the bot via transferFrom.
Early transactions were harmless tests, apparently meant to map out the bot’s behavior. Then the attacker switched tactics and let the approvals pile up before cashing out.
JaredFromSubway initially offered a $3 million bounty for the full return. When that went unanswered, they raised it to $7.5 million for just half the stolen funds. They’re also reportedly negotiating with a white-hat hacking group, though nothing’s confirmed.
The irony isn’t lost on anyone: a bot that profits from front-running other traders got front-run itself.
