The Jaredfromsubway MEV bot, linked to roughly 70% of Ethereum sandwich attacks, lost more than $7.5 million in an allowance drain after its automated system authorized attacker-controlled contracts to spend its tokens.
The bot, known as Jaredfromsubway.eth, approved a series of transactions that appeared to be part of profitable trading routes. Those permissions remained active, allowing the attacker to remove wrapped ether and two major stablecoins from contracts associated with the operation.
The incident effectively caused one of Ethereum’s largest extractive trading systems to approve its own theft. It also highlights a vulnerability facing automated traders that must evaluate markets, authorize contracts, and execute transactions within seconds.
Onchain security company Blockaid said the attacker did not compromise the bot’s private keys or exploit a flaw in a widely used decentralized finance protocol. Instead, the operation targeted the rules the bot used to identify and pursue potential profits.
How Jaredfromsubway.eth was drained
According to Blockaid, the attacker had spent several weeks deploying imitation tokens, liquidity pools, and supporting contracts that resembled markets the bot might normally trade against.
The fake assets included versions of wrapped Ethereum, USDC, and USDT, paired via trading routes designed to generate profitable-looking signals. Jaredfromsubway.eth detected those routes and followed its usual process of permitting helper contracts to move tokens as part of the expected trades.
Some early transactions used the permissions as anticipated, helping establish a pattern that the bot’s system continued to accept. Later transactions left the approvals unused.
That distinction gave the attacker an opening through ERC-20 approvals, which allow another address or smart contract to spend a specified amount of tokens belonging to the approving account.
The permission can remain available after the original transaction unless it is exhausted, reduced, or revoked.
Once the attacker had accumulated enough unspent allowances, the contracts used the ERC-20 transferFrom function to move real WETH, USDC, and USDT from the bot’s accounts.
On-chain records show repeated transfers totaling about 92 WETH, $143,000 USDC, and $149,000 USDT from a contract linked to the bot. The funds were directed to an address controlled by the attacker.
Yearn Finance developer Banteg described the final operation as an allowance drain rather than a conventional token swap. A coordinating contract called a withdrawal function across dozens of subsidiary contracts, which checked the bot’s balances and their remaining permissions before transferring the available tokens.
Some of the proceeds were subsequently sent through Tornado Cash, a crypto-mixing service that can make funds more difficult to trace.
A dominant sandwich operator becomes the target
Jaredfromsubway.eth has operated since 2023 and became one of the most prominent participants in Ethereum’s market for maximal extractable value (MEV).
MEV refers to revenue generated by changing the order in which blockchain transactions are processed. In a sandwich attack, a bot identifies a pending trade and buys the asset first, pushing up its price. The user’s transaction then executes at the less favorable price before the bot sells, capturing the difference.
That made Jaredfromsubway.eth one of Ethereum’s most visible sandwich attack bots before the same automation became the route into its own funds.
The loss to any individual trader may be small. Across tens of thousands of transactions, however, the strategy can generate substantial revenue while increasing trading costs and network fees.
According to reports, these attacks imposed an estimated $60 million in annual costs on traders, while about 70% were associated with a single operator identified as Jaredfromsubway.eth.