Morning Edition · Sunday, June 21, 2026
Ethereum's Largest Sandwich Bot Is Drained of About $7.5 Million by Its Own Logic
An attacker tricked Jaredfromsubway.eth into approving counterfeit tokens, then used those approvals to take real funds. The case shows that predatory extraction code can itself be attacked.

One of Ethereum's most active extraction bots became the victim. Jaredfromsubway.eth, the address responsible for a large share of "sandwich" attacks on the network (trades placed immediately before and after a victim's trade to profit from the resulting price move), was drained of roughly $7.5 million on June 20, according to security firm Blockaid in reporting by CoinDesk. Some on-chain analysts put the loss above $15 million, and the discrepancy reflects how the funds were spread across several tokens.
The attack was carried out gradually and was carefully targeted. Blockaid's chief technology officer, Raz Niv, described it as a "counter-MEV honeypot attack." Maximal extractable value (MEV) is the profit a bot can capture by reordering or inserting transactions around a victim's trade. Over several weeks the attacker deployed 66 counterfeit token contracts built to imitate Wrapped Ether (WETH), USD Coin (USDC) and Tether (USDT), each paired with fake liquidity pools designed to look like profitable trades.
The bot's automated code performed exactly as designed. It interacted with the counterfeit pools and, in doing so, granted spending approvals to helper contracts the attacker controlled. The attacker then called all 66 of those approvals in a single transaction and took the bot's real WETH, USDC and USDT. The cause was not a broken cryptographic function but a flaw in the bot's logic. It had granted approvals to contracts it never verified.
No funds have been recovered and the operator behind the address has not been identified. Researchers have long estimated that sandwich attacks cost ordinary Ethereum traders tens of millions of dollars a year, with Jaredfromsubway.eth tied to a majority of them in past periods. The loss does not change that calculation for traders, but it does establish that even the most aggressive extraction code can itself be attacked.
- If true, who benefits
Blockaid and the crypto-security tooling sector, whose business case strengthens when even predatory MEV bots are shown to be exploitable.
- The nuance
The "ironic honeypot" framing is consistent across outlets, but the loss figure is disputed (CoinDesk and Blockaid say about $7.5 million, on-chain analysts say above $15 million) and the operator behind the address is unidentified.
An open-source-intelligence read of how likely this story is true with its real nuance, not a judgment of any outlet. It assesses the claim, weighing independent and adversarial reporting. How we label confidence.
What this means
Predatory MEV bots are usually described as a cost imposed on ordinary users. This incident shows that the same automation that trades ahead of users can be reverse-engineered and emptied. An unattended approval to an unverified contract is a standing liability, no matter how sophisticated the operator. The case is a concrete data point in the ongoing debate over who controls Ethereum's block-building process and how much of its value is extracted rather than secured.
What to watch
- Whether the stolen funds move through a mixer or a bridge. That would indicate the attacker is laundering the funds rather than negotiating a return, and would make recovery far less likely.
- Whether other large MEV operators audit and revoke their standing token approvals. That would show the industry now treats automated approval logic as a primary security risk.
Observations to monitor, not financial advice.
Synthesized from: CoinDesk · Polylog editors
Part of a tracked trend
Bridge and Mint Exploits Sustain Heavy DeFi Losses
Over 3-6 months, recurring bridge proof-validation and unauthorized-mint exploits keep monthly DeFi losses elevated, including drains of deprecated contracts.
More from this edition
- Aztec Pushes Programmable Privacy as a Prerequisite, Not a Feature
- Strategy's Preferred Stock Slips Below Par, and Its Founder Calls a Bitcoin Sale a Feature
- 'Crypto Mom' Hester Peirce to Leave the SEC With Key Rules Unfinished
- An Ethereum Proposal Tries to Fix Who Pays for Shared Upgrades
- Miden Makes the Case for 'Practical Privacy' as Blockchain's Next Phase
- Bitcoin Holds Near $64,000 as Iran Again Orders the Strait of Hormuz Closed
- Morgan Stanley Files the Cheapest Ethereum and Solana ETFs Yet, at 0.14%
- AI Is Lowering the Cost of Crypto Security, and Raising the Baseline
- Where On-Chain Activity Is Actually Concentrating
- Bitdeer Mines 921 Bitcoin but Keeps Less, Raising the Real Question for Miners
- Security Roundup: Key Compromises and Bridge Mints Drive a Costly Month