The **JaredFromSubway** Ethereum MEV bot suffered a staggering $15 million loss after an attacker successfully manipulated its opportunity-detection logic. The sophisticated scheme involved creating fake cryptocurrency trading opportunities designed to trick the bot into approving helper contracts. Blockchain security firm **Blockaid** detected the drain on Saturday, with **JaredFromSubway** confirming the attack involved the use of fake pools and tokens. According to **Blockaid**, the attacker deployed contracts specifically crafted to appear as highly profitable MEV opportunities to **JaredFromSubway**'s automated execution system. The bot, designed to analyze routes and trade opportunities for financial gain, automatically generated the necessary transactions. Crucially, this process led to the bot granting **ERC-20** token approvals to contracts ultimately controlled by the attacker. Evidence suggests meticulous planning by the threat actor. Early transactions served as harmless tests, likely to confirm the bot’s operational routines. Subsequently, the attacker modified the transaction route, ensuring that the granted allowances were neither consumed nor revoked immediately after approval. This method allowed the attacker to accumulate valid spending permissions without immediate exploitation, eventually reaching a substantial 92.1614 **WETH** approved to an attacker-controlled helper contract. The final phase of the attack saw the threat actor leverage these open approvals to withdraw **WETH**, **USDC**, and **USDT** from the **JaredFromSubway** MEV bot contract via the `transferFrom` function. ### Karma Slaps Back MEV bots are ultra-fast automated trading systems that operate on blockchains like Ethereum. Their objective is to generate profit by exploiting the order and timing of transactions before they are included in a block. **JaredFromSubway** is a private MEV operation with no publicly available code, widely recognized as one of Ethereum's most aggressive and visible “sandwich”-bot operations. In a sandwich attack, the bot identifies a user's pending trade, places a buy order directly before it, and then sells immediately after, profiting from the price movement induced by the victim's transaction. This practice is controversial due to its tendency to result in less favorable prices for regular traders while enriching the bot operator. Initially, **JaredFromSubway** offered a $3 million bounty to the attacker for the full return of the stolen funds, promising no further action. With no response, the bounty was increased for the return of just 50% of the stolen amount, with an additional $1 million designated for the community. **JaredFromSubway** is also reportedly collaborating with a “white-hat hacking group” regarding the stolen $15 million, though no firm deal has been confirmed.