Original | Odaily Planet Daily (@OdailyChina)
Author | Azuma (@azuma_eth)
The well-known MEV Bot address Jaredfromsubway.eth, long active on the Ethereum network, was targeted in a highly sophisticated on-chain attack on Saturday, resulting in losses exceeding $7.5 million.
According to investigations by Blockaid and several on-chain analytics firms, this incident was not a traditional phishing attack or smart contract exploit. Instead, it was a "counter-MEV honeypot attack" specifically designed to target the operational logic of MEV Bots.
Over the preceding weeks, the attacker had systematically deployed 66 counterfeit token contracts and fake liquidity pools. These assets were meticulously disguised on-chain as mainstream stablecoins like WETH, USDC, and USDT, creating seemingly legitimate arbitrage trading pathways.
The attack chain unfolded step by step — the fake liquidity pools generated signals for "arbitrageable price gaps"; the MEV bot automatically identified the arbitrage opportunity and executed trades; during the transaction, the robot granted authorization to an auxiliary contract controlled by the attacker; this authorization was not promptly revoked, leading to persistent exposure of permissions; Ultimately, in a single transaction, the attacker triggered a pre-embedded backdoor logic, directly draining the ETH, USDC, and USDT held in the MEV bot's address.
On-chain data shows that the total value of assets stolen from Jaredfromsubway.eth in this attack has exceeded $7.5 million. The attacker subsequently split and transferred portions of the funds, further dispersing the flow through mixing tools.
Who is Jaredfromsubway.eth? The Most Notorious MEV Bot Address
The reason this attack is so notable today is that the victim, Jaredfromsubway.eth, is itself one of the most active, profitable, and notorious MEV Bots on the Ethereum network (if not the most).
Essentially, "MEV attacks" are a category of on-chain arbitrage behaviors revolving around "transaction ordering rights." On the Ethereum network, transactions enter the mempool to await block inclusion before being confirmed. Block builders or searchers can extract extra profit by adjusting transaction order, inserting transactions, or rearranging transactions within a block.
The most typical attack type is the "Sandwich Attack" — the attacker inserts buy and sell operations immediately before and after a user's transaction, profiting from the price slippage within a very short time frame. Such behavior is extremely common in high-liquidity DeFi trading pairs and constitutes one of the most fundamental profit models within the MEV ecosystem.
Jaredfromsubway.eth is precisely the most representative automated executor of this mechanism. Unlike traditional "single-point arbitrage bots," this MEV Bot resembles a highly industrialized MEV execution system. It continuously monitors unconfirmed transactions in the mempool, identifies in real-time transaction paths susceptible to being sandwiched, and completes transaction construction, Gas bidding, and order insertion within an extremely short time window, systematically capturing slippage profits.
Data from Cointelegraph Research shows that from November 2024 to October 2025, approximately 60,000 to 90,000 sandwich attacks occurred monthly on the Ethereum network, with about 70% related to the strategic system of Jaredfromsubway.eth.
In May of this year, when Ethereum co-founder Vitalik Buterin exchanged 26,544 DigitalBits (XDB), his transaction was also targeted and sandwiched by Jaredfromsubway.eth.
Regarding Jaredfromsubway.eth's historical revenue, there is no official statistic, but conservative estimates suggest that the address has accumulated MEV profits reaching tens of millions of dollars during its active periods. During some peak periods, its daily earnings could reach hundreds of thousands of dollars, and it consistently ranked near the top of Ethereum's MEV leaderboards.
Crypto Security Threats Intensify: Even Top Predators Are Not Spared
While one might muse that "the eagle-hunter finally got pecked," the hacking of Jaredfromsubway.eth has also sounded another alarm regarding risks in the cryptocurrency space.
In past perceptions, MEV Bots like Jaredfromsubway.eth belonged to the "predator" side of the on-chain ecosystem — they continuously capture slippage and arbitrage opportunities within user transactions through automated strategies, positioning themselves advantageously, arguably representing one of the most iconic types of attackers in the cryptocurrency market.
But this time, it became the one that was designed, lured, and ultimately harvested. Moreover, the attacker did not choose a traditional exploit path. Instead, they constructed a long-running "behavioral trap," allowing the MEV Bot's automated system to make progressively flawed decisions while fully complying with its own rules.
It must be acknowledged that even participants like Jaredfromsubway.eth, once most adept at "gaming the system," are now exposed to a broader attack surface.
Additionally, it is worth noting that after Jaredfromsubway.eth was hacked, an unknown X account with 94,000 followers changed its name to Jaredfromsubway.eth and falsely claimed it would "offer a $1 million bounty for the full return of all funds."
Several developers issued risk warnings, emphasizing that this account is not the official Jaredfromsubway.eth account (the MEV Bot team has no official account). They cautioned that this account might be used for scams subsequently and urged users to remain highly vigilant.
