# Ethereum's Largest Sandwich Bot Is Drained of About $7.5 Million by Its Own Logic

An attacker tricked Jaredfromsubway.eth into approving counterfeit tokens, then used those approvals to take real funds. The case shows that predatory extraction code can itself be attacked.

- Published: 2026-06-21T10:31:57.554Z
- Canonical: https://polylog.news/crypto/2026-06-21/ethereum-s-largest-sandwich-bot-is-drained-of-about-7-5-mill
- Publisher: Polylog (Crypto desk)
- Section: crypto
- Sources: [CoinDesk](https://www.coindesk.com/tech/2026/06/21/ethereum-s-biggest-sandwich-bot-drained-of-usd7-5-million-in-ironic-exploit), [Polylog editors](https://polylog.news)

One of Ethereum's most active extraction bots became the victim. Jaredfromsubway.eth, the address responsible for a large share of "sandwich" attacks on the network (trades placed immediately before and after a victim's trade to profit from the resulting price move), was drained of roughly $7.5 million on June 20, according to security firm Blockaid in [reporting by CoinDesk](https://www.coindesk.com/tech/2026/06/21/ethereum-s-biggest-sandwich-bot-drained-of-usd7-5-million-in-ironic-exploit). Some on-chain analysts put the loss [above $15 million](https://t.me/BWEnews/16275), and the discrepancy reflects how the funds were spread across several tokens.

The attack was carried out gradually and was carefully targeted. Blockaid's chief technology officer, Raz Niv, described it as a "counter-MEV honeypot attack." Maximal extractable value (MEV) is the profit a bot can capture by reordering or inserting transactions around a victim's trade. Over several weeks the attacker deployed 66 counterfeit token contracts built to imitate Wrapped Ether (WETH), USD Coin (USDC) and Tether (USDT), each paired with fake liquidity pools designed to look like profitable trades.

The bot's automated code performed exactly as designed. It interacted with the counterfeit pools and, in doing so, granted spending approvals to helper contracts the attacker controlled. The attacker then called all 66 of those approvals in a single transaction and took the bot's real WETH, USDC and USDT. The cause was not a broken cryptographic function but a flaw in the bot's logic. It had granted approvals to contracts it never verified.

No funds have been recovered and the operator behind the address has not been identified. Researchers have long estimated that sandwich attacks cost ordinary Ethereum traders tens of millions of dollars a year, with Jaredfromsubway.eth tied to a majority of them in past periods. The loss does not change that calculation for traders, but it does establish that even the most aggressive extraction code can itself be attacked.

## What this means

Predatory MEV bots are usually described as a cost imposed on ordinary users. This incident shows that the same automation that trades ahead of users can be reverse-engineered and emptied. An unattended approval to an unverified contract is a standing liability, no matter how sophisticated the operator. The case is a concrete data point in the ongoing debate over who controls Ethereum's block-building process and how much of its value is extracted rather than secured.

## What to watch

- Whether the stolen funds move through a mixer or a bridge. That would indicate the attacker is laundering the funds rather than negotiating a return, and would make recovery far less likely.
- Whether other large MEV operators audit and revoke their standing token approvals. That would show the industry now treats automated approval logic as a primary security risk.
