Jaredfromsubway MEV bot drained of $7.5M via token approvals

On June 21, 2026, on-chain security firm Blockaid reported that the Jaredfromsubway.eth MEV bot was drained of about $7.5 million after approving attacker-controlled contracts that used ERC-20 allowances to move WETH, USDC and USDT.

Blockaid found the attacker spent weeks deploying fake tokens, liquidity pools and helper contracts designed to resemble markets the bot would trade against. The bot detected the fabricated trading routes and followed its normal process of granting helper contracts permission to move tokens as part of expected trades.

Early transactions used the granted permissions in apparent trades, which created a pattern the bot accepted. Later transactions left those approvals unused. The attacker then used ERC-20 transferFrom calls to withdraw tokens that remained available under the outstanding allowances.

On-chain records show repeated transfers totaling about 92 WETH, roughly $143,000 in USDC and roughly $149,000 in USDT from contracts linked to the bot. A coordinating contract ran a withdrawal function across dozens of subsidiary contracts that verified balances and remaining approvals before consolidating the available tokens to an attacker-controlled address.

Some of the proceeds were routed through Tornado Cash, a crypto-mixing service.

Blockaid reported the incident did not involve theft of private keys or an exploit of a core decentralized finance protocol. The firm identified the bot’s approval logic and its market-checking behavior as the point the attacker exploited to obtain lasting spending permissions.

The Jaredfromsubway.eth operation has participated in Ethereum’s MEV market since 2023 and has been linked to a large share of sandwich attacks. Analysts estimate sandwich activity has imposed about $60 million in annual costs on traders, with roughly 70% of those incidents traced to the operator behind Jaredfromsubway.eth.

Yearn Finance developer Banteg described the final operation as “an allowance drain.”