Ethereum’s well-known MEV bot JaredFromSubway was drained after an attacker used contracts that made its automated trading system grant token approvals, according to Blockaid.

The security firm said the incident was not a normal phishing case and not a direct bug in the victim contract. 

“This is not a classic phishing attack and not a traditional smart-contract vulnerability in the victim contract,” Blockaid said. 

The firm said the bot approved attacker-controlled contracts during routes that appeared to be profitable MEV trades.

🚨Community Alert:
Blockaid Exploit Detection system detected an exploit involving the @jaredsmev MEV bot on Ethereum.
The incident resulted from attacker-controlled contracts tricking an automated MEV execution system into granting token approvals, later used to drain funds.…

— Blockaid (@blockaid_) June 20, 2026

Blockaid says approvals stayed open

Blockaid said the attacker first tested routes where approvals were used at once, leaving no open allowance. Later, the attacker changed the route design so the bot gave approvals that were not spent or revoked.

One example cited by Blockaid involved an approval of about 92.16 WETH to an attacker helper contract. Etherscan data for the transaction showed jaredfromsubway.eth interacting with its MEV Bot 2 contract before the later sweep. The transaction record also showed ERC-20 movements tied to the same automated route.

Final sweep hit WETH, USDC and USDT

The final transaction used the open approvals to pull WETH, USDC and USDT from the JaredFromSubway MEV bot contract through transferFrom. Etherscan showed transfers from “jaredfromsubway: MEV Bot 2” to the attacker wallet beginning with 0x3e37.

Blockaid put the drained amount at about $7.5 million. The JaredFromSubway account later claimed the loss was $15 million and offered a $1 million bounty for the full return of the funds. That difference has not been fully explained in the public posts reviewed.

🚨 Major incident: My MEV bot JaredFromSubway.eth was just drained for $15M

I am offering a $1,000,000 USD bounty for the full return of the funds

No Q asked. Full confidentiality and safe return guaranteed. This is a legitimate, time-sensitive bounty.
Contact me privately. https://t.co/5VXfdg9tap

Advertisement

— Jaredfromsubway.eth (@jaredsmev) June 20, 2026

How the attacker turned the bot’s logic against it

The attack appears to have targeted the bot’s own trading workflow. MEV bots watch Ethereum activity and act on transactions that look profitable. In this case, attacker-controlled contracts made the route look useful enough for the bot to approve spending rights.

The attacker used 66 fake token contracts that copied the look and function of WETH, USDC and USDT. These contracts were paired with fake liquidity pools. The setup pushed the bot toward approvals that later became the path for the drain.

JaredFromSubway’s record is back in focus

JaredFromSubway is one of Ethereum’s most watched sandwich bots. In a sandwich attack, a bot places trades before and after a user’s swap. This can give the user a worse price while the bot captures the spread.

As previously reported by crypto.news, JaredFromSubway targeted a small swap by Ethereum co-founder Vitalik Buterin in April, using about $1.14 million in WETH volume across SushiSwap and Uniswap V2. Crypto.news also reported in 2023 that the bot used 455 ETH in gas within 24 hours and accounted for about 7% of Ethereum gas use during that period.

The exploit now puts attention on token approvals used by automated systems. The case shows how a system built to act quickly on open market data can be steered into unsafe permissions when controls around approvals are weak. It also adds a new chapter to the wider debate over MEV, sandwich trades and user protection on Ethereum.

For now, the key public details remain split between Blockaid’s technical thread, the on-chain records and posts from the JaredFromSubway account. No recovery had been confirmed in the reviewed updates.

US-listed spot Bitcoin exchange-traded funds (ETFs) are experiencing another period of heavy selling pressure, with Galaxy Research data indicating the largest 30-day net outflow since the products began trading in January 2024. The renewed outflow streak comes amid a broader risk-off environment for crypto that has weighed on Bitcoin’s price and investor positioning.

According to Galaxy Research, US spot Bitcoin ETFs recorded $6.35 billion in net outflows across a trailing 30 trading-day window. The figures also align with a longer-running pattern: Galaxy Research said the ETFs logged their sixth consecutive week of net outflows last week, bringing cumulative net flows to $53.4 billion, down from a $63 billion peak reached in October 2025.

Key takeaways

• Galaxy Research reports US spot Bitcoin ETFs saw $6.35B in net outflows over the last 30 trading days.
• ETFs have now entered their sixth straight week of net outflows, with cumulative net flow down from a $63B peak in October 2025.
• BlackRock’s iShares US equity ETFs head Jay Jacobs said day-to-day ETF flows can have many causes beyond “bearish” sentiment.
• Bitcoin has been under pressure from macro factors, with trading at $64,167 at the time of writing, down 17.4% over the past month.

Biggest recent 30-day outflow highlights ongoing ETF stress

The latest ETF flow data points to a sustained rotation away from spot Bitcoin exposure rather than a one-off pullback. Galaxy Research’s assessment that daily outflows are “still deepening day over day” suggests pressure has not stabilized, even as the market continues to digest a relatively mature product lineup.

In earlier phases of the January 2024 rollout, inflow dynamics were closely watched as a signal that institutional demand was building. This time, however, Galaxy Research’s tracking shows the ETFs are moving further into negative territory relative to their earlier peak, implying that the market is currently in a different behavioral regime—one where outflows are not only recurring, but intensifying.

Why outflows happen: Jacobs points to internal ETF switching

While outflows can be interpreted as reduced institutional interest, BlackRock ETF executives caution against treating every day of selling as a single narrative. Speaking to Cointelegraph, Jay Jacobs, BlackRock US head of equity ETFs, argued that observers may be overreading short-term flow prints.

Jacobs said a day of outflows might reflect a portfolio reshuffle among ETF products rather than broad withdrawal from the asset class. He noted that transfers can occur within the ETF ecosystem—for example, an investor could sell one Bitcoin ETF and buy another.

“What I think is maybe sometimes misunderstood by the market is that if we see a day of outflows, there could be a million reasons why. It could be someone selling IBIT and buying BITA,” Jacobs said. His comments referenced BITA, an iShares Bitcoin Premium Income ETF launched on Wednesday.

This distinction matters for readers because it changes how flow data should be interpreted. If part of the outflow is simply switching between products, then net outflow numbers may understate underlying demand for Bitcoin exposure, at least in the very short run. That said, Galaxy Research’s broader multi-week pattern still indicates investors are leaving the spot Bitcoin sleeve overall, even if some flows may represent internal reallocations.

Macro pressure and geopolitical risk sit alongside ETF weakness

ETF outflow data is arriving as Bitcoin faces multiple headwinds outside the funds themselves. The article notes Bitcoin was trading at $64,167 at the time of writing, down 17.4% over the month, with the coin “pressured by macroeconomic factors,” including an increase in US inflation and the ongoing war involving the US and Iran.

Macro variables can influence Bitcoin’s attractiveness to both institutions and retail traders, especially during periods when liquidity conditions and risk appetite deteriorate. In such environments, investors often reduce exposures that are perceived as volatile, or they demand higher compensation for risk—both of which can show up as ETF outflows.

However, ETF flows also do not always move strictly in tandem with price. Even when Bitcoin declines, flow can sometimes remain steady as new investors enter or as existing holders rebalance. Here, though, Galaxy Research’s “deepening” language suggests that both price weakness and investor behavior are aligned toward reducing spot ETF exposure.

BlackRock maintains a longer-term view despite volatility

In response to the current outflow environment, Jacobs emphasized that volatility itself does not necessarily alter the long-term investment case for Bitcoin. He framed ETF flow variability as common across asset classes managed by large index and ETF providers.

Jacobs said BlackRock continues to view Bitcoin as a “global, decentralized” and “nonsovereign monetary alternative,” adding that short-term fluctuations are expected within a broad ETF lineup. He referenced the scale of iShares products, saying the firm manages “over 450 exchange-traded funds” within iShares.

“Every asset class has volatility… we have over 450 exchange-traded funds within iShares,” Jacobs said. He added that inflows and outflows occur across a wide range of assets—ranging from large cap and small cap equities to Bitcoin and gold—and that, in the short term, daily fund flow movement does not change how BlackRock views the asset’s utility.

For investors, the practical takeaway is that ETF flow cycles may not be a clean proxy for conviction. At the same time, persistent, multi-week outflows—as Galaxy Research describes—still deserve attention, because sustained selling reduces net demand for spot Bitcoin exposure and can compound downside if it drives additional hedging or portfolio adjustments.

Going forward, readers should watch whether outflows stabilize or continue to deepen week over week, and whether any of the newly launched or expanding ETF lineup leads to more visible switching patterns rather than pure reduction in Bitcoin exposure. With macro conditions and geopolitics still in the background, the key uncertainty remains whether current fund outflows represent temporary repositioning—or a longer retreat from spot Bitcoin demand.

US-listed spot Bitcoin exchange-traded funds (ETFs) are enduring a prolonged stretch of withdrawals, registering their largest 30-day net outflow since trading began in January 2024. The move comes during a broader risk-off period for crypto markets and underscores how ETF flows can diverge from short-term price headlines.

According to Galaxy Research data shared on social media, US spot Bitcoin ETFs recorded $6.35 billion in net outflows over the trailing 30 trading days. This also marks a continuation of negative momentum, with the funds completing six straight weeks of outflows, bringing cumulative net flow to $53.4 billion—down from a $63 billion peak reached in October 2025.

Key takeaways

• Galaxy Research reports $6.35B in net outflows across US spot Bitcoin ETFs over the last 30 trading days, the worst since January 2024.
• Six consecutive weeks of withdrawals have reduced cumulative ETF net flows to $53.4B, below an $63B high in October 2025.
• BlackRock’s iShares ETFs chief for US equity ETFs, Jay Jacobs, said day-to-day outflows can have multiple drivers that don’t necessarily reflect a single bearish thesis.
• Bitcoin’s spot market remains pressured by macroeconomic factors and geopolitical risk, though Jacobs argued volatility alone doesn’t change ETF issuers’ long-term positioning.

The worst 30-day outflow since launch

While spot Bitcoin ETFs have not been uniformly positive since their launch, Galaxy Research’s latest tally highlights how quickly the flow picture can worsen when sentiment turns. The firm characterized ongoing daily withdrawals as “still deepening day over day,” suggesting the recent outflows are not merely a short-lived dip.

Galaxy’s figures also frame the withdrawals against the ETFs’ earlier accumulation phase. The current cumulative net flow of $53.4 billion remains positive overall since launch, but it is now well below the $63 billion peak registered in October 2025—indicating that inflows earlier in the cycle have been partially given back.

Why ETF outflows don’t always mean “institutional exit”

Some market participants may read persistent outflows as confirmation of weakening institutional demand. However, BlackRock’s Jay Jacobs pushed back against a simplistic interpretation of daily ETF flow prints.

Speaking to Cointelegraph, Jacobs argued that outflows can result from routine reallocations rather than a broad selloff. In his view, a single day of withdrawals may reflect internal fund switching—such as investors moving exposure from one ETF to another.

“What I think is maybe sometimes misunderstood by the market is that if we see a day of outflows, there could be a million reasons why. It could be someone selling IBIT and buying BITA,” Jacobs said, referring to BlackRock’s iShares Bitcoin Premium Income ETF (BITA), which launched on Wednesday.

This distinction matters for traders and allocators trying to interpret flows as a directional signal. Galaxy Research’s data points to a negative trend over weeks, but Jacobs’ comments suggest that even during such periods, component funds within the broader Bitcoin ETF complex can experience opposite movements as investors rebalance.

Bitcoin price pressure continues alongside flow weakness

At the time of writing, Bitcoin was trading around $64,167, down 17.4% over the past month. Cointelegraph previously reported that Bitcoin has been pressured by macroeconomic factors, including increased US inflation, as well as geopolitical risk tied to the ongoing conflict between the US and Iran. Those drivers can weigh on liquidity and investor risk appetite—conditions that often affect both spot crypto demand and ETF flow behavior.

Even so, Jacobs said BlackRock does not treat BTC volatility as a reason to reconsider the asset’s longer-term role. He characterized volatility as a feature of many markets and pointed to the breadth of assets held across iShares’ ETF lineup.

“Every asset class has volatility… we have over 450 exchange-traded funds within iShares,” Jacobs said, noting that daily inflows and outflows occur across different asset categories including large-cap, small-cap, Bitcoin, and gold.

In his framing, short-term flow reversals do not necessarily change the underlying investment utility. “So we see inflows and outflows every day across a wide range of assets from large cap, small cap, Bitcoin, gold, etc. So in the short term, it’s absolutely not something that changes the way we view the asset or the utility of the asset.”

What investors should watch next

The immediate takeaway is that the ETF complex is still bleeding, with Galaxy Research pointing to deepening daily outflows and the worst trailing 30-day result since launch. The longer question is whether this pattern continues to consolidate into sustained outflow pressure—or whether it stabilizes as investors rotate between funds and as macro and geopolitical conditions evolve.

For market participants, the next milestone will be whether ETF outflows remain concentrated over multiple weeks (supporting a bearish flow narrative) or start to narrow in magnitude as rebalancing activity and sentiment shifts take hold.

US-listed spot Bitcoin exchange-traded funds recorded their largest 30-day net outflow since launching in January 2024 amid a crypto bear market.

According to data from Galaxy Research, US Bitcoin ETFs saw $6.35 billion in net outflows over a trailing 30 trading days. It also comes as they registered their sixth week of outflows last week, bringing their cumulative net flow to $53.4 billion, down from their $63 billion peak in October 2025.

Galaxy Research said the daily outflows are “still deepening day over day.” 

The outflows could reflect waning sentiment from institutional investors for Bitcoin. However, BlackRock US head of equity ETFs Jay Jacobs told Cointelegraph on Thursday that there are many other reasons why outflows occur day to day.

Source: Galaxy Research

“What I think is maybe sometimes misunderstood by the market is that if we see a day of outflows, there could be a million reasons why. It could be someone selling IBIT and buying BITA,” Jacobs said, referring to its iShares Bitcoin Premium Income ETF (BITA), which launched on Wednesday.

Bitcoin is trading at $64,167 at the time of writing, down 17.4% over the past month. The asset has been pressured by macroeconomic factors, including an increase in US inflation, along with the ongoing war between the US and Iran. 

Related: Bitcoin activity nears record highs on microtransaction surge

However, Jacobs said the volatility hasn’t impacted BlackRock’s view of Bitcoin as a global, decentralized, nonsovereign monetary alternative. 

“Every asset class has volatility… we have over 450 exchange-traded funds within iShares,” said Jacobs, referring to the family of ETFs and index mutual funds managed and marketed by BlackRock.

“So we see inflows and outflows every day across a wide range of assets from large cap, small cap, Bitcoin, gold, etc. So in the short term, it’s absolutely not something that changes the way we view the asset or the utility of the asset.”

Magazine: Bitcoin decouples from tech stocks, Ether eyes ‘selling wave’: Market Moves

Cointelegraph is committed to independent, transparent journalism. This news article is produced in accordance with Cointelegraph’s Editorial Policy and aims to provide accurate and timely information. Readers are encouraged to verify information independently.

A leading Ethereum MEV bot, Jaredfromsubway.eth, has reportedly been drained of more than $7.5 million after an attacker exploited weaknesses in the bot’s automated execution workflow. The incident highlights a critical, often underappreciated risk for MEV infrastructure: once a bot is trusted with permissions, attackers only need to trick it into granting the right approvals to move funds.

According to Blockaid, the attacker used attacker-controlled contracts to manipulate Jaredfromsubway.eth’s automated MEV execution system into issuing token approvals that were later used to drain funds. Blockaid described the event as neither a classic phishing attempt nor a straightforward smart-contract vulnerability in the bot’s victim contracts.

Key takeaways

• Blockaid attributes the theft to malicious approvals: attacker-controlled contracts induced Jaredfromsubway.eth to authorize spending before sweeping funds.
• The attack was “counter-MEV” in design, targeting the bot’s trust-minimized decision logic and execution pipeline rather than attempting to directly compromise the bot’s private keys.
• Fake token and liquidity artifacts played a central role, with the attacker deploying dozens of contracts designed to resemble major Ethereum assets and venues.
• The event reinforces systemic MEV exposure—even bots that target profitable opportunities can become liabilities if they approve the wrong spending permissions.

What Blockaid says happened

In its account of the incident, Blockaid said the attacker’s main move was to exploit how automated MEV bots operate: by monitoring activity and then executing trades based on what appear to be profitable on-chain opportunities. In this case, the “profitable” paths were set up by the attacker using contracts that behaved like bait.

Blockaid noted that the event on Saturday did not resemble a typical phishing scenario, and it was not characterized as a traditional smart-contract bug in the bot’s victim logic. Instead, the focus was on the automated execution system itself—specifically the token approval steps that enable a bot to interact with assets and helper contracts during MEV operations.

A “honeypot” aimed at the bot’s approvals

Blockaid’s chief technology officer, Raz Niv, told Cointelegraph that the attack functioned as a counter-MEV honeypot. The strategy, he explained, was to target the bot’s trust-minimized decision-making logic—the part that determines which trades to pursue and which contracts to empower.

Over several weeks, the attacker allegedly deployed 66 fake token contracts designed to imitate familiar assets such as Wrapped ETH (WETH), USDC, and USDT, pairing them with fake liquidity pools. The goal was to create the appearance of trade opportunities that automated systems like Jaredfromsubway.eth are programmed to seek.

Once the bot interacted with these counterfeit contracts, Jaredfromsubway.eth reportedly approved certain attacker-controlled helper contracts that would later be used to move real funds. As Niv put it, the bot effectively handed over “the keys” to its treasury—an important reminder that approvals can be as dangerous as vulnerabilities when automation is involved.

“And then in a single transaction, the attacker called all 66 backdoors and swept all the ETH, USDC, and USDT at these addresses, amounting to millions of dollars.”

Why this matters beyond one wallet

MEV bots are typically described as automation that scans unconfirmed or pending activity and then reorders or manipulates transactions to extract profit. In doing so, they can impose an “invisible tax” on DeFi users—an issue that has drawn substantial research attention over the years.

Earlier Cointelegraph Research found that sandwich attacks on Ethereum caused roughly $60 million in annual losses for traders, with the analysis also reporting 60,000 to 90,000 sandwich attacks per month between November 2024 and October 2025. That same research said around 70% of those attacks were associated with Jaredfromsubway.eth.

This new development turns the spotlight from the bot’s profit extraction methods to the security assumptions that power those same operations. When an MEV system depends on automated approvals and execution pathways, attackers may not need to break cryptography or exploit a bug in victim contracts. They may only need to engineer on-chain interactions that cause the bot to authorize spending to attacker-controlled addresses.

MEV’s reach has been wider than people realize

While this reported drain is by far the most serious outcome, Cointelegraph noted another instance involving Jaredfromsubway.eth: in May, Ethereum co-founder Vitalik Buterin was sandwich attacked while swapping 26,544 DigitalBits (worth $2.11 at the time of Cointelegraph’s writing). The losses in that case were reportedly small, but it underscored that MEV bots can target even relatively modest transactions.

The broader point for market participants is that MEV activity is not limited to high-profile trades. It can reach across liquidity conditions and transaction sizes, depending on how opportunities appear to bots in real time. For users and integrators, that reality has been part of the ongoing debate around fairness, transparency, and how encrypted transaction infrastructure changes the incentives for adversaries.

It’s also a reminder that the line between attacker and victim in MEV is frequently thinner than the public narrative suggests. The same operational patterns that enable profit extraction can be subverted—particularly when bots must make rapid execution decisions and grant permissions without full guarantees about the counterparties they’re dealing with.

Going forward, investors, DeFi users, and builders should watch for two signals: whether this incident triggers wider scrutiny of how MEV bots handle approvals and “helper” contracts, and whether similar “counter-MEV honeypot” tactics appear against other automated systems. The technical details of token-approval misuse are often portable, and the next exploit may be less about one bot’s identity and more about the shared automation patterns that many MEV tools rely on.

MEV bot operator Jaredfromsubway.eth has reportedly lost more than $7.5 million after an attacker used a “counter-MEV” strategy to trick the bot into authorizing spending approvals that were later used to drain its funds. The incident, discovered on Saturday, highlights a growing security risk for automated trading systems: even bots built to exploit market opportunities can be turned against themselves.

Blockaid said the compromise stemmed from attacker-controlled contracts manipulating Jaredfromsubway.eth’s automated MEV execution logic into issuing token approvals. Those approvals—part of the bot’s normal workflow—were then leveraged to transfer assets out of the bot’s treasury.

Key takeaways

• Blockaid attributes the $7.5M+ loss to fake contracts that induced Jaredfromsubway.eth to grant token approvals used for a subsequent sweep.
• The attack was not framed as classic phishing or a flaw in the victim contract itself, but as a targeted manipulation of the bot’s automated decision-making.
• Blockaid’s technical description includes 66 counterfeit token contracts paired with fake liquidity pools to appear like profitable trades.
• The incident underscores that MEV strategies can create predictable authorization paths that attackers may try to repurpose.
• Earlier Cointelegraph Research linked Jaredfromsubway.eth with a large share of sandwich attacks, showing how high-profile MEV actors can become high-value targets.

A rare turnabout for a prominent MEV bot

MEV bots operate by monitoring unconfirmed transactions and attempting to reorder or manipulate trades to extract profit. In practice, this behavior often translates into an “invisible tax” for some DeFi users, especially during sandwich attacks—where an attacker places trades around a target transaction to capture value from price movement.

Cointelegraph Research previously estimated that sandwich attacks on Ethereum have produced around $60 million in annual losses for traders. That same research reportedly found 60,000 to 90,000 sandwich attacks per month between November 2024 and October 2025, with roughly 70% associated with Jaredfromsubway.eth. Against that backdrop, the Saturday incident is notable precisely because it shows an automated profit-seeking system can be engineered to fail in a way that benefits an adversary.

Blockaid: the exploit used approvals, not a direct “victim contract” bug

Blockaid emphasized that this was not a traditional victim-side vulnerability. In a statement on X, the company said the event was neither a classic phishing attack nor a standard smart-contract exploit of the victim contract.

According to Blockaid, the attacker exploited an aspect of how Jaredfromsubway.eth executes MEV strategies. The goal was to steer the bot’s “trust-minimized” automation—its automated, contract-driven decision logic—toward approvals that the attacker could later use to move funds.

Blockaid chief technology officer Raz Niv described the technique as a counter-MEV honeypot attack. Rather than attacking the bot’s private keys directly, the approach aimed to influence what the bot would do once it encountered transactions and on-chain artifacts that looked like opportunities aligned with its programmed objectives.

The “66 backdoors” narrative: fake tokens and liquidity pools

In a conversation with Cointelegraph, Niv said the attacker deployed fake token contracts over a period of weeks. He stated that there were 66 counterfeit token contracts designed to mimic well-known assets, including Wrapped ETH, USDC, and USDt. These fakes were paired with fake liquidity pools intended to make the ecosystem appear to offer profitable trades.

The counterfeit setup was engineered to resemble the kinds of transactions MEV bots typically chase. By presenting plausible trading conditions, the attacker “lured” Jaredfromsubway.eth into executing its normal logic—specifically, approving certain attacker-controlled helper contracts to spend funds on the bot’s behalf.

“Ironically, in the process, it provided the attacker the keys to millions in the bot’s treasury,” Niv said.

“And then in a single transaction, the attacker called all 66 backdoors and swept all the ETH, USDC, and USDT at these addresses, amounting to millions of dollars.”

The attack’s structure matters for investors and builders because it demonstrates a common automation pitfall: when systems rely on broad or reusable token allowances to operate efficiently, a malicious actor may focus on obtaining those allowances rather than breaking the underlying execution engine.

Why this matters for DeFi and automated trading

MEV activity is often discussed in terms of profitability and market mechanics, but the Jaredfromsubway.eth incident shifts attention to operational security. Even if a bot’s trading logic is intended to be automated and “trust-minimized,” that automation still has to interact with external contracts and grant permissions in order to operate.

The broader implication is that attackers can design environments that comply with the bot’s assumptions while quietly redirecting the outcome. In this case, the environment included fake token contracts and pools meant to look legitimate enough to trigger approvals—turning expected functionality into an exit path.

The timing and visibility of the story also add context. Earlier this year, Cointelegraph reported that Ethereum co-founder Vitalik Buterin was sandwiched by Jaredfromsubway.eth while swapping 26,544 DigitalBits, which was worth $2.11 at the time of writing. The harm in that example was reportedly minimal, but it illustrated that MEV bots may target transactions of any size. Saturday’s loss claim suggests the inverse is also true: high-profile MEV infrastructure can be targeted using the same automation pathways it uses to function.

Crypto investor and commentator David Gokhshtein reacted publicly to the news on X, framing it as a response to a bot that has benefited from sandwiching before—though he also cautioned against celebration.

What to watch next

For now, the key questions are how widespread similar approval-based counter-MEV tactics could be and whether bot operators will adjust their permissioning and contract interaction patterns to reduce exposure to authorization-driven drains. The next signal to monitor will be whether Blockaid’s described counter-MEV honeypot approach becomes a repeatable playbook—or prompts faster defensive changes across automated MEV systems.

One of the most successful MEV bots in crypto, Jaredfromsubway.eth, has been drained for more than $7.5 million, with an attacker exploiting the bot’s automated systems, the same ones that have netted it hundreds of millions over the years. 

According to Blockaid, the incident on Saturday resulted from attacker-controlled contracts tricking Jaredfromsubway.eth’s automated MEV execution system into granting token approvals that were later used to drain funds.

“This is not a classic phishing attack and not a traditional smart-contract vulnerability in the victim contract,” Blockaid said on X.

It’s a rare comeuppance for MEV (maximal extractable value) bots like Jaredfromsubway.eth, which are automated programs that monitor unconfirmed transactions on blockchain networks and manipulate their order to extract profit, a kind of “invisible tax” on DeFi users. 

Cointelegraph Research previously found that sandwich attacks on Ethereum have resulted in about $60 million in annual losses for traders. The research also found that between November 2024 and October 2025, there were 60,000 to 90,000 sandwich attacks per month, with roughly 70% of them associated with Jaredfromsubway.eth.

How Jaredfromsubway.eth was exploited

The attacker created fake wrapper tokens and pools, including fake Wrapped Ether (fWETH), fake USDC (fUSDC) and fake USDt (fUSDT) routes paired with fake Cap (fCAP), Blockaid explained. 

The fakes were designed to look like profitable trades, the kind the MEV bot is programmed to chase. It then did what it was designed to do, approving certain attacker-controlled helper contracts to spend real money on its behalf. 

While in normal cases, the bot would use up the approval during the trade, in this case, the attacker crafted routes that allowed the approvals to stay open. 

Once enough approvals were in place, the attacker conducted a “final sweep” to pull WETH, USDC and USDT from the Jaredfromsubway.eth MEV bot contract via transferFrom. 

“The attacker exploited the bot’s mechanism: its automated system detected what looked like profitable MEV opportunities and generated approvals to attacker-controlled helper contracts.”

“We shouldn’t be happy about this; no one should celebrate … but if you’ve ever been sandwiched by this … I’m pretty sure you’re not upset about this news,” crypto investor and commentator David Gokhshtein said.

Magazine: The end of anon? AI could unmask crypto’s hidden identities