By Azuma(@azuma_eth)
Jaredfromsubway.eth, a well-known MEV Bot address long active on the Ethereum network, was targeted in a highly specific on-chain attack on Saturday, resulting in losses exceeding $7.5 million.
Investigations by Blockaid and several on-chain analytics firms revealed that this incident was not a traditional phishing attack or smart contract exploit, but rather a "counter-MEV honeypot attack" specifically designed to exploit the operational logic of MEV Bots.
Over the preceding weeks, the attacker systematically deployed 66 counterfeit token contracts and fake liquidity pools. These assets were meticulously disguised on-chain as major stable assets like WETH, USDC, and USDT, creating seemingly genuine arbitrage trading pathways.
The attack chain unfolded as follows — fake liquidity pools generated signals of "exploitable price gaps"; the MEV bot automatically identified the arbitrage opportunity and executed a trade; during the transaction, the robot granted authorization to an auxiliary contract controlled by the attacker; this authorization was not revoked promptly, leading to persistent exposure of permissions; finally, the attacker triggered a pre-embedded backdoor logic in a single transaction, directly transferring assets such as ETH, USDC, and USDT held by the MEV bot's address.
On-chain data shows that the total scale of assets stolen from Jaredfromsubway.eth this time has exceeded $7.5 million. The attacker subsequently split and transferred some of the assets, further dispersing the fund flow through mixing tools.
Who is Jaredfromsubway.eth? The Most Notorious MEV Bot Address
The reason this attack is so notable now is that the victim, Jaredfromsubway.eth, is itself the most active, most profitable, and most notorious MEV Bot on the Ethereum network (perhaps without even needing 'one of').
"MEV attacks" are essentially a category of on-chain arbitrage behaviors centered around "transaction ordering rights." In the Ethereum network, transactions wait in the mempool to be included in a block before they are confirmed. Block builders or searchers can adjust transaction order, insert transactions, or rearrange transactions within a block to extract additional profits.
The most typical attack type is the "Sandwich Attack"— the attacker inserts a buy order before and a sell order after a user's transaction, profiting from price slippage within a short timeframe. This behavior is extremely common in high-liquidity DeFi trading pairs and constitutes one of the most fundamental profit models within the MEV ecosystem.
Jaredfromsubway.eth is precisely the most representative automated executor of this mechanism. Unlike traditional "single-point arbitrage bots," this MEV Bot operates more like a highly industrialized MEV execution system. It continuously monitors unconfirmed transactions in the mempool, identifies in real-time transaction paths vulnerable to sandwiching, and within an extremely short time window, completes transaction construction, gas bidding, and order insertion, systematically capturing slippage profits.
Data from Cointelegraph Research shows that between November 2024 and October 2025, approximately 60,000 to 90,000 sandwich attacks occurred monthly on the Ethereum network, with about 70% related to Jaredfromsubway.eth's strategy system.
In May this year, when Ethereum co-founder Vitalik Buterin exchanged 26,544 DigitalBits (XDB), his transaction was also precisely targeted and sandwiched by Jaredfromsubway.eth.
There is no official statistic on Jaredfromsubway.eth's historical revenue, but conservative estimates suggest that the address has accumulated tens of millions of dollars in MEV profits during its active periods. During some peak periods, its single-day profits could reach hundreds of thousands of dollars, and it consistently appeared at the top of Ethereum MEV rankings for a long time.
Crypto Security Threats Escalate: Even Top Predators Are Not Safe
While some may marvel at the "hunter finally getting hunted," the hacking of Jaredfromsubway.eth also rings an alarm bell for cryptocurrency risks once again.
In past perceptions, MEV Bots like Jaredfromsubway.eth belonged to the "predator" side of the on-chain ecosystem — they continuously capture slippage and arbitrage opportunities in user transactions through automated strategies, inherently occupying an advantageous position, and could even be considered a representative class of attackers in the crypto market.
But this time, it became the target of design, inducement, and eventual harvesting. Moreover, the attacker did not choose a traditional vulnerability exploitation path. Instead, they constructed a long-running "behavioral trap," allowing the MEV Bot's automated system to proceed step by step towards erroneous decisions while fully complying with its own rules.
It must be admitted that even participants like Jaredfromsubway.eth, who were once most adept at "exploiting the rules," are now exposed to more multidimensional attack surfaces.
It is also worth noting that after the Jaredfromsubway.eth hack, an unknown account on X with 94,000 followers changed its name to Jaredfromsubway.eth and falsely claimed it would "offer a $1 million bounty for the full return of all funds."
Several developers issued risk warnings regarding this, emphasizing that the account is not an official Jaredfromsubway.eth account (the MEV Bot team has no official account) and that it cannot be ruled out that this account might be used for scams in the future. Users are urged to remain highly vigilant.
