Ethereum’s most prominent sandwich MEV bot, JaredFromSubway.eth, lost more than $7.5 million in an exploit on June 20, 2026. The attacker exploited the bot’s automated trading system by simulating profitable opportunities rather than through a traditional smart contract vulnerability or private key compromise. Security researchers identified the drain shortly after it occurred. Independent estimates placed the loss around $7.5 million in WETH, USDC, and USDT, though the bot operator publicly referenced a higher figure near $15 million.
🚨Community Alert:
Blockaid Exploit Detection system detected an exploit involving the @jaredsmev MEV bot on Ethereum.
The incident resulted from attacker-controlled contracts tricking an automated MEV execution system into granting token approvals, later used to drain funds.…— Blockaid (@blockaid_) June 20, 2026
The attack unfolded over several weeks. The perpetrator deployed dozens of fake token contracts and liquidity pools mimicking wrapped Ether and major stablecoins. These setups created the appearance of profitable MEV opportunities that the bot’s logic would naturally pursue. JaredFromSubway.eth’s system generated token approvals for attacker-controlled helper contracts as part of what it perceived as routine execution for arbitrage or sandwich trades. In initial tests, approvals were consumed immediately. Later iterations left standing allowances that the attacker could exploit.
A key example involved an approval for roughly 92 WETH to a helper contract at 0x4ee0…313ce. That permission remained active until the final sweep. The attacker then used a sweep contract to pull funds via transferFrom calls from the bot’s main contracts. Funds flowed to the attacker-controlled wallet starting with 0x3e37…65d0 On-chain records show portions of the stolen assets routed through Tornado Cash for obfuscation.
The attack also comes amid a broader wave of crypto security incidents that have targeted cross-chain bridges, exchanges, and trading infrastructure in recent months, underscoring how threat actors continue to exploit weaknesses across the digital asset ecosystem.
On June 22, the JaredFromSubway operator publicly offered a 50% white hat bounty. The message stated they were willing to pay for the return of 2150 ETH to a specified address within 48 hours, warning of legal and law-enforcement action otherwise.
jaredfromsubway.eth just offered 50% white hat bounty to the exploiter.
“Well played. We are willing to offer a 50% white hat bounty if you return 2150 ETH to this address in the next 48 hours, otherwise we will pursue all available legal and law-enforcement remedies.” pic.twitter.com/0lr69EqWpt
— Kakashi (@kkashi_yt) June 22, 2026
JaredFromSubway.eth has operated since early 2023 and is linked to a significant share of Ethereum sandwich attacks. Estimates suggest it accounted for around 70% of such activity in periods between late 2024 and 2025, contributing to substantial trader costs. The bot gained notoriety for high-volume operations that often front-ran user swaps on decentralized exchanges.
This incident stands out because it reversed the typical dynamic. The bot, which profits by inserting itself into others’ trades, fell victim to a carefully constructed counter-strategy that weaponized its own pattern-recognition and approval mechanisms. The exploit carries limited direct impact on broader DeFi total value locked, as the funds resided in the bot’s operational wallets rather than a shared protocol. However, it underscores ongoing challenges for automated systems that interact at high speed with unverified contracts and liquidity pools.
MEV activity remains a contentious part of Ethereum’s ecosystem. While it provides liquidity and arbitrage that can tighten spreads, sandwich attacks extract value directly from retail traders, often increasing effective slippage and gas costs. The operator has pursued recovery efforts, including the recent bounty offer. As of the latest updates, the attacker had not publicly responded, and funds remain unrecovered.
This case adds to a series of incidents where sophisticated actors target MEV infrastructure, highlighting the need for stricter approval management and simulation safeguards in high-stakes automated trading.
The exploit also adds to the growing list of major cryptocurrency thefts recorded in 2026, a year that has already seen billions of dollars lost to hacks, exploits, and protocol compromises. The continued rise in high-profile security incidents serves as another reminder that even advanced automated trading systems remain vulnerable to carefully engineered attacks and social manipulation techniques embedded within on-chain activity.
