An attacker drained jaredfromsubway.eth, one of the most active MEV sandwich bots on Ethereum, by tricking its automated trading system into approving attacker-controlled contracts. Blockchain security firm Blockaid valued the assets traced to the attacker at roughly $7.5 million in WETH, USDC, and USDT. The incident, confirmed on June 21, 2026, quickly drew widespread attention from blockchain security monitors and crypto analysts as stolen funds began moving rapidly across multiple wallets and into privacy infrastructure.
Jaredfromsubway.eth was responsible for an estimated 70% of all sandwich attacks on Ethereum between November 2024 and October 2025. The bot has operated since early 2023, quietly accumulating profits by inserting itself into pending trades on decentralised exchanges. Sandwich attacks cost Ethereum traders about $60 million a year, with 60,000 to 90,000 attacks per month. The irony of the attacker turning those same predatory mechanics against the bot itself was noted widely across the crypto community.
How the Trap Was Set: A Counter-MEV Honeypot
This was not a traditional smart contract bug or phishing attack. Blockaid CTO Raz Niv confirmed that the attacker spent several weeks staging the trap. The operator deployed 66 fake token contracts mimicking the names and interfaces of WETH, USDC, and USDT. Each was paired with a sham liquidity pool, and the routes were structured so the bot's automated decision logic would treat the contracts as live MEV opportunities.
Because these fake pools appeared to contain real value and real trading activity, Jaredfromsubway.eth's automated systems flagged them as profitable MEV opportunities. The bot did what it was programmed to do: it approved attacker-controlled helper contracts to spend tokens on its behalf, a standard step in its sandwich attack workflow. Once enough approvals had accumulated across all 66 contracts, the attacker executed a single transaction that called all 66 backdoors simultaneously, sweeping all the WETH, USDC, and USDT from the bot's treasury in one coordinated drain.
The proceeds of the exploit included 1,583 ETH, 2.87 million USDC, and 2.09 million USDT. The assets were later consolidated and swapped into 4,427 ETH, making it easier for the attacker to launder the proceeds while reducing their fragmentation.
50% Bounty Offer Falls on Deaf Ears
In the immediate aftermath, a white-hat bounty offer was made on-chain — requesting the attacker return a portion of the stolen funds within a 48-hour window, with legal action and law-enforcement coordination threatened if no response arrived. An X account using the jaredfromsubway.eth name posted that the bot had lost $15 million and offered a $1 million bounty for the return of the funds. However, several on-chain commentators flagged the account as an impersonator rather than the bot's actual operator. The genuine operator behind the bot has made no verified public statement on Ethereum or elsewhere.
Regardless, on-chain data confirmed that the attacker showed no sign of cooperation and made no move to return funds within any stated window.
Tornado Cash Becomes the Getaway Route
Rather than sitting on the stolen assets, the attacker moved fast and methodically. Shortly after the drain, multiple exact transfers of 100 ETH flowed into Tornado Cash. Each deposit was approximately $172,000 in value. This approach made fund tracing more difficult for authorities. As laundering activity accelerated, at least 1,000 ETH entered Tornado Cash.
A hacker responsible for the $7.5 million exploit subsequently moved 2,000 ETH, valued at roughly $3.44 million, through the privacy mixer Tornado Cash, according to blockchain analytics firm Onchain Lens. The attacker later converted 1,422 ETH into approximately 2,446,000 DAI, a stablecoin pegged to the U.S. dollar.
The report also flagged that the receiving address was an EIP-7702-delegated account, a feature from Ethereum's 2025 Pectra upgrade that lets a standard wallet run contract code — adding another layer of technical sophistication to the laundering chain.
Once stolen funds enter Tornado Cash at scale, the window for meaningful recovery narrows dramatically — and in this case, the attacker moved faster than any bounty clock.
Why DeFi Bounties Often Fail
This case exposes a hard truth about on-chain bounty negotiations in crypto: they are most effective when the attacker has something to lose or fears identification. A sophisticated exploiter who patiently stages a weeks-long trap, moves quickly through multiple wallets, and systematically deposits proceeds into a privacy mixer has little incentive to accept even a generous offer.
Ethereum's Q2 2026 hack count reached an all-time high of roughly 70 exploits and $746 million stolen before this incident. The MEV-bot exploit is unusual among the quarter's hacks because the victim is not a protocol, not a DAO, and not a custodian — it is a single anonymous operator running automated infrastructure against the open market. That distinction matters: there is no governance mechanism, no emergency multisig, and no community treasury to appeal to when things go wrong.
What Crypto Traders and Protocol Operators Should Take Away
The Jaredfromsubway incident is not an isolated case — it is part of a recurring and accelerating pattern in DeFi where exploiters outpace both negotiations and enforcement. The exploit demonstrates how rapidly attack methods are evolving within decentralised finance. Automated systems, smart contracts, and algorithmic strategies have transformed crypto markets, but increasing sophistication has also created new vulnerabilities.
Security teams need faster alerting infrastructure, real-time approval monitoring, and pre-agreed emergency response playbooks. The approval vector — where a bot or user grants a third-party contract permission to spend tokens — remains one of the most dangerous and underaudited surfaces across DeFi. Once assets hit a mixer at this scale, the probability of full recovery collapses.
For Indian and South Asian retail traders active in DeFi, this is a timely reminder: audit your token approvals regularly, limit smart contract exposure to what you actively use, and never assume that a well-known on-chain name means a bulletproof contract. The Jaredfromsubway case will be studied as a textbook example of how on-chain transparency and privacy tools collide in real time — and why no bounty offer, however generous, is a substitute for airtight operational security.
Highlights
- Estimated exploit loss: approximately $7.5 million in WETH, USDC, and USDT
- Attack method: counter-MEV honeypot using 66 fake token contracts deployed over several weeks
- Assets consolidated: approximately 4,427 ETH post-exploit
- Bounty offer: made publicly, attacker did not respond
- ETH laundered through Tornado Cash: at least 2,000 ETH per Onchain Lens tracking
- Additional laundering: 1,422 ETH converted into approximately 2.4 million DAI
