Ethereum MEV bot Jaredfromsubway sandwich attack drains $7.5M

An Ethereum MEV bot, Jaredfromsubway.eth, was drained of more than $7.5 million in a sandwich attack, according to Blockaid. The attacker did not rely on a classic phishing scam or a typical smart-contract flaw in the bot. Instead, they used attacker-controlled contracts to induce the Ethereum MEV bot to issue token spending approvals. Those approvals were then leveraged to withdraw real WETH, USDC, and USDT via transferFrom. Key to the exploit were fake wrapper tokens and manipulated trade routes (including counterfeit WETH and USDC/USDT paths). The routes looked profitable, so the bot kept approvals open rather than consuming them during execution. A final sweep then pulled the underlying assets. Broader context: Jaredfromsubway.eth accounted for ~70% of Ethereum sandwich attacks between Nov 2024 and Oct 2025. Earlier research estimated Ethereum sandwich attacks cause about $60M in annual trader losses, with roughly 60,000–90,000 attacks per month. For traders, the event highlights ongoing Ethereum MEV risk concentration in DEX liquidity and the need for MEV-aware execution (e.g., slippage protection and private routing such as Flashbots Protect).