JaredFromSubway MEV bot hacked in $15 million crypto theft

Summary

An attacker stole $15 million from the JaredFromSubway Ethereum MEV bot by manipulating its opportunity-detection logic with fake trading opportunities. The attacker deployed contracts that tricked the bot into granting spending approvals, which were then used to withdraw WETH, USDC, and USDT. JaredFromSubway initially offered a bounty for the funds' return, which went unanswered, and is now reportedly negotiating with a white-hat hacking group.

Full text

JaredFromSubway MEV bot hacked in $15 million crypto theft By Bill Toulas June 22, 2026 05:52 PM 0 The JaredFromSubway Ethereum MEV (Maximal Extractable Value) bot suffered a $15 million loss after an attacker manipulated the opportunity-detection logic by creating fake cryptocurrency trading opportunities. The drain was detected on Saturday by blockchain security firm Blockaid, and today, JaredFromSubway confirmed that the attacker used fake pools and tokens to trick the bot into approving helper contracts. According to Blockaid, the attacker deployed contracts designed to appear as profitable MEV opportunities to JaredFromSubway's automated execution system. The bot automatically analyzed routes and trade opportunities that seemed financially rewarding. It then generated the transactions needed to execute them, granting ERC-20 token approvals to contracts controlled by the attacker. It appears that the attacker planned the heist carefully, as early transactions served as harmless tests to help confirm the bot’s action routines. Later, the threat actor changed the route so that the allowance was not consumed or revoked after the bot granted approvals. The attacker accumulated valid spending permissions without immediately using them, reaching up to 92.1614 WETH approved to an attacker-controlled helper contract. Finally, the attacker used the open approvals to withdraw WETH, USDC, and USDT from the JaredFromSubway MEV bot contract via the transferFrom function. Karma slaps back MEV bots are ultra-fast automated trading systems that scan Ethereum and other blockchains for opportunities to make money by exploiting the order and timing of transactions before they are included in a block. JaredFromSubway is a private MEV operation with no publicly available code, known as one of Ethereum's most aggressive and visible “sandwich”-bot operations. In a sandwich attack, the bot detects a user's pending trade, places a buy order immediately before it, and then sells immediately afterward, profiting from the price movement caused by the victim's transaction. The practice is controversial because it often results in worse prices for regular traders while generating profits for the bot operator. Initially, JaredFromSubway offered a $3 million bounty to the attacker for the full return of the stolen funds, promising no further action would be taken. After receiving no response, JaredFromSubway increased the bounty to $7.5 million for the return of just 50% of the stolen amount, with $1 million to be given to the community. JaredFromSubway is also negotiating with "a white-hat hacking group" on the stolen $15 million but there is no confirmation of a deal yet. Test every layer before attackers do Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection. Get the whitepaper Related Articles: FBI: Americans lost a record $21 billion to cybercrime last yearUSB worm spreads crypto-stealing malware via Windows shortcut filesNew Rokarolla Android malware targets 217 banking, crypto appsFBI: Fraudsters use couriers to steal money in crypto scamsExploit released for Ivanti Sentry bug abused as zero-day in attacks

Indicators of Compromise

• malware — JaredFromSubway

Entities