An attacker drained roughly $7.5 million from the JaredFromSubway MEV bot, one of Ethereum’s most active sandwich-attack systems, after tricking it into approving token spending it never should have granted.

Security firm Blockaid, which flagged the incident, said the bot was not hit by a smart-contract bug, a phishing attack, or a private-key leak. Instead, the attacker turned the bot’s own profit-seeking logic against it.

How the MEV Bot was Tricked

The JaredFromSubway MEV bot runs an automated strategy that scans Ethereum’s mempool for profitable trades. The practice is known as maximal extractable value.

The bot front-runs and back-runs other trades to capture the price difference, a tactic called a sandwich attack.

It became infamous in April 2023. In one day, it burned over $1 million in gas, nearly 8% of all Ethereum gas spending.

The attacker spent weeks deploying 66 counterfeit token contracts. The fakes imitated Wrapped Ether (WETH), USD Coin USDCUSD, and Tether USDTUSD.

To the bot, these contracts looked like the routes it was built to chase. It took the bait and approved spending to attacker-controlled helper contracts. One approval alone handed over more than 92 WETH.

A final contract then used those open allowances to sweep real funds from the bot.

A Reverse-MEV Trap

The trap turned the bot’s speed and aggression into a weakness. Hunting MEV bots is not new. In 2023, a rogue validator drained about $25 million from MEV sandwich bots.

“attacker-controlled contracts tricking an automated MEV execution system into granting token approvals, later used to drain funds,” Blockaid indicated.