猎手反遭围猎，最能赚钱的MEV Bot被黑了

Original: Odaily Planet Daily (@OdailyChina)

Author: Azuma (@azuma_eth)

A highly targeted on-chain attack was launched on Saturday against the well-known MEV Bot address Jaredfromsubway.eth, which has been long active on the Ethereum network, resulting in losses exceeding $7.5 million.

According to investigations by Blockaid and several on-chain analysis firms, this incident was not a traditional phishing attack or smart contract exploit, but rather a "counter-MEV honeypot attack" specifically designed against the operational logic of MEV Bots.

Over the weeks preceding the attack, the attacker systematically deployed 66 fake token contracts and fraudulent liquidity pools. These assets were meticulously disguised on-chain as mainstream stable assets like WETH, USDC, and USDT, constructing a seemingly legitimate arbitrage path.

The attack chain unfolded progressively during this process: The fake liquidity pools generated signals of "arbitrageable price spreads"; the MEV bot automatically identified the arbitrage opportunity and executed the trade; the bot authorized the attacker's auxiliary contracts during the transaction; the authorization was not revoked in time, creating continuous permission exposure; ultimately, the attacker invoked pre-planted backdoor logic in a single transaction, directly transferring assets such as ETH, USDC, and USDT held by the MEV bot address.

On-chain data shows that the total value of assets stolen from Jaredfromsubway.eth in this incident has exceeded $7.5 million. The attacker has since split and transferred part of the assets, further dispersing the fund flow through mixing tools.

Who is Jaredfromsubway.eth? The Most Notorious MEV Bot Address

The reason this attack has garnered so much attention is that the victim, Jaredfromsubway.eth, is itself the most active, profitable, and notorious MEV Bot on the Ethereum network (arguably without exception).

Essentially, "MEV attacks" are a class of on-chain arbitrage activities revolving around the "ordering rights of transactions." In the Ethereum network, transactions first enter the mempool to await packaging before being included in a block. Block builders or searchers can extract additional profits by adjusting transaction order, inserting transactions, or reordering transactions within a block.

The most typical attack type is the "Sandwich Attack" — the attacker places a buy and a sell order immediately before and after the user's transaction, profiting from price slippage in a short timeframe. This behavior is extremely common in high-liquidity DeFi trading pairs and constitutes one of the most fundamental profit models within the MEV ecosystem.

Jaredfromsubway.eth is the most representative automated executor under this mechanism. Unlike traditional "single-point arbitrage bots," this MEV Bot operates more like a highly industrialized MEV execution system. It continuously monitors unconfirmed transactions in the mempool, identifies attackable transaction paths in real-time, and constructs trades, bids for Gas, and inserts ordering within an extremely short time window to systematically capture slippage profits.

Data from Cointelegraph Research indicates that between November 2024 and October 2025, the Ethereum network experienced approximately 60,000 to 90,000 sandwich attacks per month, with about 70% of them being linked to the strategy system associated with Jaredfromsubway.eth.

In May of this year, Ethereum co-founder Vitalik Buterin's transaction to swap 26,544 DigitalBits (XDB) was also targeted and sandwiched by Jaredfromsubway.eth.

There is no official statistic regarding the historical revenue of Jaredfromsubway.eth, but conservative estimates suggest that the address has accumulated tens of millions of dollars in MEV profits over its active cycles. During peak periods, its daily earnings could reach hundreds of thousands of dollars, and it has consistently occupied top positions in Ethereum's MEV rankings for a long time.

Escalating Crypto Security Threats: Top Predators Are Not Immune

While reflecting on the irony of "the hunter becoming the hunted," the attack on Jaredfromsubway.eth has once again sounded the alarm on cryptocurrency risks.

In the past, MEV Bots like Jaredfromsubway.eth were considered on-chain "predators" — persistently capturing slippage and arbitrage opportunities from user transactions through automated strategies. They occupied a dominant position in the ecosystem and were arguably the most representative type of attacker in the cryptocurrency market.

This time, however, it became the target of a carefully designed scheme, was lured, and ultimately harvested. The attacker did not choose a traditional exploit path. Instead, they constructed a long-running "behavioral trap," causing the MEV Bot's automated system, while fully complying with its own rules, to gradually make flawed decisions.

It must be acknowledged that even participants like Jaredfromsubway.eth, once masters of "exploiting the rules," are now being exposed to more dimensions of attack surfaces.

Furthermore, it is worth noting that after Jaredfromsubway.eth was drained, an unknown X account with 94,000 followers changed its name to Jaredfromsubway.eth and falsely claimed it would "offer a $1 million bounty for the full return of all funds."

Several developers have issued risk warnings regarding this, emphasizing that this account is not the official Jaredfromsubway.eth account (the MEV Bot team has no official account) and that there is a possibility it might be used for scams in the future. Users are urged to remain vigilant.