The hunter becomes the hunted: The most profitable MEV Bot gets hacked

Original article: Odaily Planet Daily (@OdailyChina)

Author: Azuma (@azuma_eth)

Jaredfromsubway.eth, a well-known MEV Bot address long active on the Ethereum network, suffered a highly targeted on-chain attack on Saturday, resulting in losses exceeding $7.5 million.

According to investigations by Blockaid and several on-chain analytics firms, this incident was not a traditional phishing attack or smart contract exploit. Instead, it was a "counter-MEV honeypot attack" specifically designed to exploit the behavioral logic of MEV Bots.

Over the weeks leading up to the attack, the attacker methodically deployed 66 fake token contracts and fraudulent liquidity pools. These assets were meticulously disguised on-chain as mainstream stable assets like WETH, USDC, and USDT, creating seemingly legitimate arbitrage trading paths.

The attack chain unfolded progressively: The fake liquidity pools generated signals indicating "arbitrageable price spreads"; the MEV bot automatically identified these opportunities and executed trades; during these transactions, the bot granted approvals to auxiliary contracts controlled by the attacker; these approvals were not promptly revoked, creating persistent permission exposure. Ultimately, in a single transaction, the attacker invoked a pre-planted backdoor logic, directly transferring assets such as ETH, USDC, and USDT held by the MEV bot address.

On-chain data indicates that the total value of assets stolen from Jaredfromsubway.eth has exceeded $7.5 million. The attacker subsequently split and transferred some of the assets, further dispersing the fund flow through mixing tools.

Who is Jaredfromsubway.eth? The Most Notorious MEV Bot Address

The reason this attack has drawn such significant attention is that the victim, Jaredfromsubway.eth, is arguably the most active, profitable, and notorious MEV bot on the Ethereum network (perhaps even without qualification).

So-called "MEV attacks" are essentially a category of on-chain arbitrage behavior centered around the "right to order transactions." In the Ethereum network, transactions enter the mempool to await inclusion in a block before entering a block. Block builders or searchers can earn additional profits by rearranging the order of transactions, inserting their own, or reordering transactions within a block.

The most typical form of attack is the "Sandwich Attack" – where an attacker places both a buy and a sell order right before and after the user's transaction, profiting from the price slippage within a short timeframe. This behavior is extremely common in high-liquidity DeFi trading pairs and constitutes one of the most fundamental profit models within the MEV ecosystem.

Jaredfromsubway.eth is the quintessential example of an automated executor under this mechanism. Unlike traditional "single-point arbitrage bots," this MEV Bot operates more like a highly industrialized MEV execution system. It continuously monitors unconfirmed transactions in the mempool, identifies transaction paths vulnerable to sandwich attacks in real-time, and constructs transactions, bids for gas, and inserts orders within extremely short time windows to systematically capture slippage profits.

Data from Cointelegraph Research shows that between November 2024 and October 2025, the Ethereum network experienced approximately 60,000 to 90,000 sandwich attacks per month, with about 70% of them associated with Jaredfromsubway.eth's strategy system.

In May of this year, Ethereum co-founder Vitalik Buterin's transaction of 26,544 DigitalBits (XDB) was also specifically targeted by Jaredfromsubway.eth.

There is no official accounting of Jaredfromsubway.eth's historical revenue, but conservative estimates suggest the address has accumulated tens of millions of dollars in MEV profits during its active periods. During peak times, its daily revenue reached hundreds of thousands of dollars, and it consistently held top positions in Ethereum MEV rankings.

Crypto Security Threats Intensify: Even the Top Predator Cannot Escape

While lamenting "the hunter has become the hunted," the attack on Jaredfromsubway.eth serves as another stark warning about the risks in the cryptocurrency space.

In the past, MEV Bots like Jaredfromsubway.eth were considered on-chain "predators" – they continuously capture slippage and arbitrage opportunities from user trades using automated strategies, placing them in a dominant position within the ecosystem, even representing a quintessential type of attacker in the crypto market.

This time, however, it found itself the target of design, inducement, and eventual exploitation. And the attacker didn't follow a traditional exploit path. Instead, they constructed a long-running "behavioral trap," causing the MEV bot's automated system, while fully complying with its own rules, to step by step make flawed decisions.

It is undeniable that even participants like Jaredfromsubway.eth, once the most skilled at "exploiting the rules," are now exposed to an expanding array of attack vectors.

Furthermore, it's worth noting that following the attack on Jaredfromsubway.eth, an unknown X account with 94,000 followers changed its name to Jaredfromsubway.eth and falsely claimed to "offer a $1 million bounty for the full return of all funds."

Several developers have issued risk warnings, emphasizing that this account is not the official Jaredfromsubway.eth account (the MEV bot team has no official account) and that it may be used for scams in the future. Users are strongly advised to remain vigilant.