A notorious Ethereum sandwich-attack bot that has extracted tens of millions from traders over three years was drained of $7.5 million on Saturday after attackers exploited the very trading logic that made it profitable. JaredFromSubway.eth, one of the network's most resented profit machines, lost control of its treasury when its automated system approved spending for attacker-controlled contracts, handing over the keys to its own funds.

What Is a Sandwich Attack and Why Does It Matter?

A sandwich attack is a form of front-running where a bot or trader places one order just ahead of a pending transaction and another right behind it, then pockets the price difference created by that manipulation. For ordinary users swapping tokens, it functions as an invisible tax. Researchers tie approximately 70% of all Ethereum sandwich attacks to JaredFromSubway.eth, a practice estimated to cost traders across the network roughly $60 million or more every year. The bot has operated since 2023 and at times burned more than two hundred Ether (ETH) in a single day to win priority position at the front of each block.

How Did Attackers Turn the Bot's Own Strategy Against It?

The attacker executed what security researchers call a counter-MEV honeypot, a trap designed to exploit the trust-minimized logic that automated traders depend on. Over several weeks, the attacker planted 66 counterfeit tokens that copied the names of Wrapped Ether, USDC (USD Coin), and Tether (USDT), then paired them with fake liquidity pools. Those pools looked like easy arbitrage opportunities, exactly the kind of profit the bot scans the mempool to find and front-run in every block.

"It targeted what the bot was built to chase," explained Raz Niv, chief technology officer at Blockaid, the security firm that flagged the incident.

Raz Niv, Chief Technology Officer at Blockaid

One transaction swept all three fake pools, draining the bot's treasury. Security firm Blockaid ruled out both a phishing scam and any flaw inside the victim contract itself, confirming the bot's own automation had been weaponized against it.

Steps to Understand How Automated Trading Bots Create Security Risks

• Automation Dependency: Bots like JaredFromSubway.eth operate on pre-programmed logic that approves token spending without human review, making them vulnerable to contracts designed to exploit that trust.
• Mempool Scanning: The bot continuously scans Ethereum's mempool (the queue of pending transactions) to identify profitable arbitrage opportunities, but this same behavior makes it predictable to attackers who can plant fake opportunities.
• Approval Vulnerabilities: When a bot approves spending for what it believes is a legitimate contract, attackers can redirect those approvals to drain the bot's entire treasury in a single transaction.

The reversal stung because JaredFromSubway.eth ranks among crypto's most resented profit machines. In May, the bot sandwiched Ethereum co-founder Vitalik Buterin during a small token swap, a sign even marquee wallets had drawn its attention. Few in the crypto community felt much sympathy for the bot's loss. Crypto investor David Gokhshtein cautioned against celebrating the exploit while acknowledging that anyone ever sandwiched by the bot would struggle to feel sorry for it.

Some of the stolen funds already moved through Tornado Cash, a privacy mixer that obscures transaction trails, and the attacker's identity remains unknown. The drain marks a rare and costly failure for an operation that had run largely unchallenged for more than two years, and investigators are still tracing where the remaining funds went.

The incident highlights a paradox in decentralized finance: the same automation and trust-minimized logic that makes DeFi efficient also creates attack surfaces that sophisticated adversaries can exploit. JaredFromSubway.eth's loss demonstrates that even the most profitable and aggressive bots are not immune to being outmaneuvered by attackers who understand their underlying mechanics.