Was the bot's private key compromised?

No. According to Blockaid, the attacker did not compromise the bot's private keys or exploit a flaw in a widely used DeFi protocol. Instead, the operation targeted the rules the bot used to identify potential profits.

What sandwich attacks are attributed to this bot?

Jaredfromsubway.eth is linked to approximately 70% of Ethereum sandwich attacks, where a bot buys first to push price up, a user's transaction executes at worse price, and the bot sells for profit.

MEV Bot Jaredfromsubway.eth Loses $7.5M in Allowance Drain

Q: How did the attacker drain the MEV bot's funds?

The attacker deployed fake tokens and liquidity pools to trick the bot into authorizing ERC-20 allowances, then used those approvals to drain real assets via transferFrom function calls.

Attacker Exploited Approval Logic to Drain WETH, USDC, and USDT

Jaredfromsubway.eth, a dominant Ethereum MEV bot, lost more than $7.5 million after an attacker deployed fake tokens and liquidity pools to trick the bot into authorizing ERC-20 allowances, then used those approvals to drain real assets via transferFrom function calls.

The attacker drained 92 WETH, $143,000 in USDC, and $149,000 in USDT from the bot’s accounts over a period in which the attacker had spent several weeks setting up the malicious infrastructure. According to Blockaid, an onchain security company, “the attacker did not compromise the bot’s private keys or exploit a flaw in a widely used decentralized finance protocol. Instead, the operation targeted the rules the bot used to identify and pursue potential profits.”

Jaredfromsubway.eth has operated since 2023 and emerged as one of Ethereum’s most active MEV participants. The bot is linked to approximately 70% of Ethereum sandwich attacks, in which a bot buys an asset first to push its price up, a user’s transaction executes at a worse price, and the bot sells for profit. Sandwich attacks impose an estimated $60 million in annual costs on traders.

The bot’s approval logic created the opening for the drain. The attacker crafted a social engineering attack rather than exploiting a protocol vulnerability. By deploying fake tokens paired with liquidity pools, the attacker’s contracts appeared legitimate to the bot’s automated trading logic. Once the bot approved these contracts to spend its tokens, the attacker executed transferFrom calls to extract real WETH, USDC, and USDT.

The bot’s transactions have historically pushed Ethereum network gas fees higher during periods of high MEV activity. Some of the drained proceeds were routed through Tornado Cash, a crypto-mixing service, according to onchain analysis.

The incident highlights a blind spot in automated trading systems: even when private keys remain secure and underlying protocols function as designed, a bot’s own approval rules can become an attack surface. Yearn Finance developer Banteg and researcher Doug Colkitt have published diagrams documenting the attack flow.

The bot operator has not publicly responded to the incident or confirmed whether recovery efforts are underway.

Attacker Exploited Approval Logic to Drain WETH, USDC, and USDT

Three Wallets Earned $24.25M on World Cup Markets, Then Funneled Profits Through Binance

msUSD Stablecoin Loses Dollar Peg After Main Street Protocol Liquidity Crisis

Venus Protocol Adds Tokenized Stocks as DeFi Collateral on BNB Chain