Jaredfromsubway MEV bot drained of $7.5M via approvals
Jaredfromsubway.eth lost over $7.5 million after approving attacker-controlled contracts that used ERC-20 allowances to withdraw WETH, USDC and USDT.
On June 21, 2026, the automated Ethereum MEV bot Jaredfromsubway.eth lost more than $7.5 million after approving attacker-controlled contracts that then used ERC-20 allowances to withdraw tokens from the bot’s addresses. On-chain security firm Blockaid reported the attacker spent weeks deploying imitation tokens, fake liquidity pools and supporting contracts designed to resemble legitimate markets the bot would trade against. The bot identified profitable-looking routes and granted helper contracts permission to move tokens; many of those approvals remained active after early trades.
Blockaid’s traces show repeated transfers that together removed roughly 92 WETH, about $143,000 in USDC and around $149,000 in USDT from a contract linked to the bot, with total losses exceeding $7.5 million. A coordinating contract ran a withdrawal function across dozens of subsidiary contracts, checked balances and remaining allowances, and swept available tokens to an attacker-controlled address. Some proceeds were routed through Tornado Cash.
The attacker initially used the granted permissions in ways the bot expected, creating a pattern the automation continued to accept. Later transactions left many approvals unused. Once enough unspent allowances had accumulated, the attacker called transferFrom on the approved contracts to move assets out of the bot’s accounts. Blockaid reported the operation did not involve stealing private keys or exploiting a protocol-level vulnerability; it targeted the bot’s approval and route-detection logic.
Jaredfromsubway.eth has operated since 2023 and is a major participant in Ethereum maximal extractable value, or MEV. Reports link the bot to about 70% of Ethereum sandwich attacks. In a sandwich attack, an automated trader spots a pending trade and places orders before and after that trade to profit from the resulting price impact.
Security practitioners recommend reviewing approval logic, limiting allowance sizes and adding checks to distinguish genuine markets from staged ones. They note that automated systems that prioritize speed can be difficult to harden without affecting execution performance.
Yearn Finance developer Banteg called the final operation ‘an allowance drain rather than a conventional token swap.’








