MEV Bot JaredFromSubway Exploited for $7.5M, Bounty Offered
Ethereum sandwich bot JaredFromSubway suffered a $7.5M loss after an attacker used fake tokens to exploit smart contract vulnerabilities. The operator offered a 50% bounty for 2,150 ETH and threatened legal action, while the attacker moved funds to Tornado Cash, sparking debate on MEV ethics.
Quick Take
JaredFromSubway lost $7.5M via fake tokens and fraudulent smart contracts.
Operator offered 50% bounty (2,150 ETH) with a 48-hour deadline, threatening legal action.
Attacker began laundering funds through Tornado Cash, reducing return likelihood.
Event reignites debate on MEV practices and the ethics of sandwich attacks.
Market Impact Analysis
NeutralExploit of a single MEV bot is unlikely to affect broader crypto market prices, though it may temporarily increase negative sentiment around MEV.
Speculation Analysis
Key Takeaways
- JaredFromSubway bot drained of $7.5M through fake token exploit and fraudulent smart contracts.
- Operator offers 50% white hat bounty (2,150 ETH, ~$3.7M) with 48-hour deadline, threatens legal action.
- Attacker moves funds to Tornado Cash, making recovery unlikely and sparking MEV ethics debate.
What Happened
Ethereum’s notorious sandwich bot JaredFromSubway suffered a $7.5 million exploit on Saturday after an attacker tricked its automated trading logic. The bot, known for executing sandwich attacks that front-run pending transactions, was lured into executing trades involving fake tokens and fraudulent smart contracts. These contracts gave the attacker permission to move the bot’s funds, and while some transactions revoked those permissions, the attacker’s later transactions did not—leaving the attacker with full access to drain the wallet. The operator quickly responded by offering a 50% white hat bounty onchain, demanding return of 2,150 ETH within 48 hours or face legal consequences.
The Numbers
The exploit resulted in a $7.5 million loss in ETH. The bounty offer represents exactly half of that, at 2,150 ETH—valued around $3.7 million at current prices. The attack occurred on Saturday, June 20, 2026, and the onchain message gave a 48-hour window. Within hours, the attacker began moving funds to Tornado Cash, the Ethereum mixer, signaling likely refusal of the bounty.
Why It Happened
The bot’s design required granting token spending approvals to opportunistic entities. While the bot’s logic normally revokes these permissions after each trade, the attacker exploited a flaw where some approvals persisted. By creating fake tokens and misleading transactions, the attacker tricked the bot into leaving spend permissions active. Blockaid, a security firm, explained that the “attacker-controlled spenders” gained control due to the bot’s incomplete invalidation of approvals. This incident highlights how even sophisticated MEV bots are vulnerable to smart contract manipulation.
Broader Impact
The exploit reignites debate over MEV practices and the ethics of sandwich attacks. While the bot’s operator frames the attacker as a thief demanding a bounty, the crypto community is divided—some see it as poetic justice against a manipulative bot. The event also underscores the risks of smart contract permissions and may prompt other MEV operators to tighten security. However, the direct market impact remains negligible as it’s an isolated incident.
What to Watch Next
- Whether funds exit Tornado Cash or get traced, potentially revealing the attacker’s identity.
- If the bounty deadline passes without response, whether the operator actually pursues legal action—which seems unlikely.
- Changes in MEV bot security practices following this exploit, especially around spend approvals.
This article is for informational purposes only and does not constitute financial advice.
Always late to trends?
Join for the latest news, insights & more.
Disclaimer: Bytewit is an independent media outlet that delivers news, research, and data.
© 2026 Bytewit. All Rights Reserved. This article is for informational purposes only.
