Ethereum MEV bot JaredFromSubway lost between $7.5 million and more than $15 million in June 2026 after falling into a trap involving fake tokens. The blow hit a bot that had spent years profiting from sandwich attacks, only to become a victim of its own logic.
The incident was reported by analytics firm Blockaid. According to its data, the attacker created fake tokens and liquidity pools, tricked the automated system into issuing approvals to third-party contracts, and then withdrew the funds via transferFrom. The scheme involved WETH, USDC and USDT, and one example showed an approval for more than 92 WETH.
For traders, this is an important story. For developers, too. It shows that in Ethereum, the danger lies not only in smart contract code, but also in trading logic itself if it operates too automatically. That is where the bot stumbled.
Why did this attack hit the MEV bot specifically?
Everything here depended on the algorithm trusting signals it itself considered profitable. The attacker did not break a third-party contract in the classic sense. Instead, they fed the bot dozens of fake tokens, including fWETH, fUSDC and fUSDT, which looked like profitable arbitrage opportunities.
According to researchers, the trap was built over several weeks. Blockaid CTO Raz Niv described it as a counter-MEV honeypot. And that is an important detail: this was not a single abrupt hack, but a long game in which the bot was guided step by step toward the desired behavior. That is why such schemes are hard to spot at an early stage.
After the first test transactions, everything looked routine. Approvals were issued and immediately used, so no suspicion arose. Then the mechanics changed. The bot kept issuing approvals, but without immediate use. That is how the attacker accumulated active rights to withdraw funds.
Market reaction
The story quickly spread through the crypto community because JaredFromSubway had long had a reputation as one of Ethereum's best-known MEV bots. Commentators noted that this wallet had spent years running sandwich attacks. Now the role had changed. The predator became the prey.
“This is not a classic phishing attack and not a traditional vulnerability in the victim's smart contract,” Blockaid said. It was the manipulation of automated execution logic that gave the attacker access to the funds.
There is also a broader backdrop. In 2023, JaredFromSubway was already highly visible on the network: according to The Block, citing EigenPhi, the bot carried out 238,000 attacks against more than 106,000 victims in its first three months of activity. CoinDesk previously estimated total MEV in Ethereum at more than $1.2 billion, with about 51% coming from sandwich attacks. That explains why any failure in such a bot creates so much noise.
The loss is estimated at between $7.5 million and more than $15 million.
The scheme used 66 fake token contracts.
One approval involved more than 92 WETH.
The largest separately mentioned transfer was 1,423 ETH, or about $2.46 million.
Some of the stolen funds have reportedly already been routed through Tornado Cash.
What does this case mean for investors?
For ordinary Ethereum users, this story has a simple takeaway: automation without strict control can turn against the one who запускає it. If a bot or wallet regularly signs approvals, an attacker can accumulate permission and use it later, when attention has already faded. That appears to be what happened here.
For Ukrainian traders, this is not an abstract issue either. Many work with WETH, USDC and USDT, and therefore face the same risk of fake tokens, spoofed pools and malicious contracts. In 2025, Blockaid already reported more than 54,000 fake tokens imitating the top 20 stablecoins, including more than 34,000 copies of USDT and about 12,000 copies of USDC. That is the broader environment in which such attacks emerge.
There is one more practical point. If you work with Ethereum and often sign approvals, it is worth checking active approvals from time to time and not leaving unnecessary permissions in place for too long. This small detail often decides whether you lose funds immediately or not. If you need to quickly sell USDT TRC20 for Monobank, it is also better to do that after checking addresses and permissions.
Frequently asked questions
What is an MEV bot and why can it be fooled at all?
An MEV bot looks for profit in price differences and transaction ordering on the blockchain. If you feed it fake tokens or pools, it may treat them as a profitable opportunity and issue approvals to withdraw funds on its own.
Why are approvals mentioned specifically in this attack?
Approvals give a contract the right to spend a user's or bot's assets. In this case, the attacker accumulated such permissions and then used them for the final withdrawal of funds via transferFrom.
Can this be called a hack of Ethereum?
No. This was an attack on a specific MEV bot, not a hack of the Ethereum network itself. But the incident shows that the weak point may be not in the blockchain, but in the tools that operate on top of it.
This story will long serve as a reminder that in crypto, speed without verification often comes at a high price. Sometimes even the one who is used to hunting others has to run for cover themselves.
This material is not financial advice. Cryptocurrency trading involves significant risks. Part of this text was prepared with the help of artificial intelligence based on public sources and reviewed by our editorial team.