You know the guy at the poker table who reads everyone else’s tells? Someone just stacked the deck specifically for him. Jaredfromsubway.eth — the MEV bot reportedly behind roughly 70% of Ethereum sandwich attacks over a roughly one-year window ending October 2025, according to Cointelegraph Research — got drained for more than $7.5 million. Blockchain security firm Blockaid reported the incident around June 20, 2026. The predator became the meal.
Sandwich attacks work like a toll booth nobody asked for. The bot spots your pending swap, jumps in front to buy the token, lets your trade push the price up, then sells immediately after. You pay more. The bot profits. Rinse, repeat, at an industrial scale. Jaredfromsubway.eth turned this into a business model so efficient that it functioned like a subscription fee on every DeFi trade you never agreed to.
The attacker studied its patterns like a Netflix algorithm studies yours. They deployed 66 fake token contracts and fake liquidity pools designed to look like profitable opportunities involving WETH, USDC, and USDT. The bot’s automation did exactly what it was built to do: engage. In the process, it granted token approval permissions to attacker-controlled helper contracts. Those permissions sat quietly. Then the attacker used transferFrom-style calls to sweep real assets clean.
Blockaid described the event as attacker-controlled contracts tricking an automated MEV system into granting approvals, then using those permissions to drain funds.
Same Tool, Different Hands
The mechanics of the trap reveal ordinary DeFi approval risk weaponized against an extraordinary target.
Here’s what actually happened:
- 66 fake token contracts and fake liquidity pools deployed as bait
- The bot approved attacker-controlled contracts to spend tokens on its behalf
- Assets drained: WETH, USDC, and USDT
- Stolen funds reportedly moved to Tornado Cash
- Blockaid classified this as a counter-MEV honeypot, not traditional phishing
This wasn’t a novel blockchain vulnerability. The approval risk here is the same risk you run every time you interact with a DeFi contract. What’s different is the target. When your trading system operates on-chain — fully automated and publicly readable — sophisticated actors can reverse-engineer traps calibrated to your bot’s exact behavior. Assets, including WETH, USDC, and USDT, were drained and reportedly routed to Tornado Cash shortly after. The attack surface wasn’t the blockchain. It was predictability.
Jaredfromsubway.eth built a fortune exploiting other people’s predictable behavior. Someone returned the favor with interest. For every automated DeFi system still running with loose approval logic, the message is blunt: tighter permission controls and private transaction routing aren’t optional anymore — tools like Revoke.cash or wallet-level approval audits take under five minutes and cut your exposure significantly.
