JaredFromSubway MEV Bot Hacked in $15 Million Crypto Theft – Veri Sızıntısı
Live
Search
Company
About Founder's Note Press & Media Privacy Policy Terms of Service FAQ Brand Kit
Products
HUBOne HUBCorp Coming Soon Veri Sızıntısı Android Coming Soon Veri Sızıntısı iOS Coming Soon Veri Sızıntısı Huawei Coming Soon Breach Radar Argus Flow Argus Engine LivePlatform
Technologies
What is Argus AI? Try on HUBOne What is Argus Flow? What is Argus Engine?
Blog Contact

JaredFromSubway MEV Bot Hacked in $15 Million Crypto Theft

JaredFromSubway, one of the most well-known MEV bots on the Ethereum blockchain, suffered a $15 million cyberattack after attackers manipulated the bot's logic by creating fake trading opportunities. The attacker exploited the bot's automatic approval mechanisms to seize assets in WETH, USDC, and USDT.

A hook and chain on a digital background symbolizing a blockchain network, representing a cryptocurrency theft.

What Happened

The cryptocurrency world was shaken by news of a major cyber heist targeting the JaredFromSubway MEV bot, one of the most aggressive and well-known automated trading systems on the Ethereum blockchain. According to information that became public on June 22, 2026, digital assets worth approximately $15 million were stolen from the bot's operational wallets. The incident was first detected on Saturday by the blockchain security firm Blockaid. Shortly after, the bot's operator, JaredFromSubway, confirmed the attack, stating that the attacker used fake pools and tokens to trick the bot's opportunity-detection logic.

This attack represents much more than a typical security breach. MEV (Maximal Extractable Value) bots are, by their nature, extremely complex and high-speed systems that aim to profit by manipulating the order and timing of transactions on the blockchain. These bots scan pending transactions before they are included in blocks and aim to generate large profits from small price differences through strategies like arbitrage, liquidations, or "sandwich" attacks. The JaredFromSubway bot was known as one of the most active players in this field. This time, however, the hunter became the hunted. The attacker turned the bot's profit-driven automation into a weapon, using the system against its own creator and successfully siphoning off a significant amount of funds.

What Data Was Stolen

The attack did not result in the theft of personal user data or credentials, but rather the direct theft of liquidity under the bot's control. Three different cryptocurrencies held in JaredFromSubway's operational wallet, used for its trading strategies, were targeted. The breakdown of the stolen assets is as follows:

  • WETH (Wrapped Ether): An ERC-20 compliant version of Ethereum, widely used on decentralized finance (DeFi) platforms.
  • USDC (USD Coin): A widely used stablecoin pegged to the US dollar.
  • USDT (Tether): One of the largest stablecoins in the market, also pegged to the value of the US dollar.

The total value of these three assets was calculated to be approximately $15 million. The target of the attack was the hot wallet liquidity that the bot kept ready for instant trading. The attacker exploited the bot's own internal mechanisms and its interactions with smart contracts to transfer these funds directly to wallets under their control. This demonstrates how meticulously the attack was planned and suggests a deep understanding of the bot's operations. The stolen funds represented the operator's primary capital, and this loss could have a severe impact on the future of the operation.

How Did the Attack Happen

According to information shared by Blockaid and JaredFromSubway, the attack was carried out through a highly sophisticated and multi-stage plan. The attacker targeted the bot's core operating principle: its ability to automatically detect and execute profitable trading opportunities. The technical steps of the attack can be summarized as follows:

1. Creating Fake Opportunities: The attacker created counterfeit smart contracts and tokens designed to appear on the JaredFromSubway bot's radar. These contracts were crafted to look like extremely profitable MEV opportunities.

2. Gaining Trust and Testing: The attacker executed the plan carefully. Initially, they conducted harmless test transactions to confirm the bot's reactions and automation routines. These transactions caused the bot to perceive the fake opportunities as real and generate transactions in response. During this phase, the bot granted ERC-20 token spending approvals to "helper contracts" controlled by the attacker.

3. Accumulating Approvals: This is the key point of the attack. Normally, after a transaction is completed, the granted spending permission (allowance) should either be consumed or revoked. However, the attacker cleverly altered the transaction route to ensure that the approvals granted by the bot were neither used nor revoked. This allowed them to accumulate the spending permissions from each "fake" transaction. Over time, a significant amount of spending approvals, such as 92.1614 WETH to a single attacker-controlled helper contract, was accumulated.

4. The Final Heist: After accumulating a sufficient number of valid spending permissions, the attacker made their final move. They triggered the accumulated approvals at once using the transferFrom function, a part of Ethereum's ERC-20 standard. This function allows one wallet to grant another wallet permission to transfer its assets. The attacker used these accumulated permissions to withdraw WETH, USDC, and USDT from the JaredFromSubway bot's wallet, completing the $15 million heist.

Who Is Affected

The direct and primary victim of this attack is the operator of the JaredFromSubway MEV bot. However, the incident has broader repercussions and indirect effects within the cryptocurrency ecosystem. As implied by the phrase "Karma slaps back" in the source article, the field in which the bot operated is highly controversial.

JaredFromSubway was known as one of the most aggressive bots in the market, particularly for its use of "sandwich attacks." A sandwich attack works as follows: The bot detects a pending transaction, such as a large buy order from a user. It then places a buy order moments before that transaction (front-running). When the user's transaction executes, the price of the asset rises. The bot then immediately sells its holdings (back-running) to profit from the price difference. While this process generates profit for the bot operator, it causes the ordinary user who made the original transaction to buy at a worse price. For this reason, such strategies by MEV bots are widely regarded as unethical and predatory. In this context, the hacking of a system designed to profit from others' transactions was met with a sense of irony within the community.

What You Can Do

Although this attack directly targeted an MEV bot operator, the methods used and the risks highlighted offer important lessons for all cryptocurrency users.

  • Review Your Token Approvals: The most fundamental mechanism used in the attack was ERC-20 token approvals. Regularly check the token spending permissions you have granted to decentralized applications (dApps). Use tools like the "Token Approvals Checker" on blockchain explorers like Etherscan to revoke approvals given to platforms you no longer use or trust. Avoid granting unlimited approvals whenever possible.
  • Use MEV Protection: As an ordinary user, you can use RPC (Remote Procedure Call) services that offer MEV protection (e.g., Flashbots Protect) to prevent your transactions from falling victim to sandwich attacks. These services send your transactions through a private channel directly to miners, preventing MEV bots from seeing and exploiting them.
  • Lessons for Developers: If you are a bot operator or a smart contract developer, this incident demonstrates how sensitive automation logic can be. Scrutinize code blocks that grant spending approvals repeatedly. Test your system against potential manipulations and use single-use or amount-limited approvals. Security audits and anomaly detection systems play a critical role in preventing such sophisticated attacks.

What the Company Says

Following the attack, the JaredFromSubway operator attempted to communicate with the attacker to recover the stolen funds. Initially, a $3 million bounty was offered to the attacker for the full return of the funds, with a promise that no legal action would be taken.

When this offer received no response, the operator tried to make the deal more attractive. The new offer requested the return of only half of the stolen amount (approximately $7.5 million). In return, the attacker would be allowed to keep the other half as a $7.5 million bounty. It was also added that if this deal was reached, $1 million would be distributed to the community.

According to the latest information, JaredFromSubway is currently negotiating with "a white-hat hacking group" over the stolen $15 million. However, there is no confirmation yet that these negotiations have resulted in a deal. The operator's desperate attempts to recover the funds once again highlight how high-risk and fragile MEV operations can be.

Source

https://www.bleepingcomputer.com/news/security/jaredfromsubway-mev-bot-hacked-in-15-million-crypto-theft/

This content was generated with AI assistance through our Argus Flow application. We are continuously working to improve Argus Flow; if you encounter any issues such as translation errors, incorrect sources, or unverified information, you can report them using the button below. We appreciate your feedback.

Share This Article
X LinkedIn WhatsApp
← Previous Post Decades-Old Squid Proxy Flaw Squidbleed Exposes User Data Next Post → Xsolis Data Breach Affects 1.4 Million Individuals

Weekly Newsletter

Curated data breach news delivered to your inbox every week.