The setup was built over several weeks, where the attacker deployed dozens of fake token contracts and fake liquidity pools (a term for a stack of tokens locked on a decentralized exchange) that looked like profitable transactions. Some imitated familiar assets like wrapped ether (WETH) and dollar-pegged stablecoins USDC and USDT.
That bait did what it was supposed to do. The Jaredfromsubway.eth bot saw what appeared to be MEV opportunities and generated approvals for help contracts controlled by the attacker to spend tokens on their behalf. Those approvals were immediately used as part of the exchange in previous tests, but then the attacker created routes where the approvals remained open.
This left the attacker with permanent permission to withdraw funds. And they used those open approvals to transfer WETH, USDC, and USDT out of Jaredfromsubway.eth contracts, draining more than $7.5 million.
Some of the stolen funds were later sent to Tornado Cash, on-chain data reviewed by CoinDesk showed.
Meanwhile, the irony was hard to miss.
Jaredfromsubway.eth has long been one of the most visible symbols of toxic MEV on Ethereum. Sandwich attacks cost Ethereum traders around $60 million a year, with between 60,000 and 90,000 attacks per month between November 2024 and October 2025.
