Blockchain analytics firm Chainalysis has published an in-depth examination of a sophisticated exploit that drained at least $7.5 million from JaredfromSubway.eth, widely regarded as Ethereum’s most active sandwich-attack operator. According to insights from Chainalysis, the incident unfolded over June 20–21, 2026, when an unknown attacker used a reverse honeypot to turn the bot’s own aggressive trading logic against it.
As explained by Chainalysis, these so-called sandwich attacks are a common maximal extractable value (MEV) tactic on Ethereum.
Bots monitor the public mempool for pending user transactions and insert their own orders around them.
They typically buy a token immediately before the victim’s purchase to push the price higher, then sell right after, profiting from the resulting slippage while the original trader receives a worse execution price.
JaredfromSubway.eth, operating pseudonymously since 2023, built one of the most successful versions of this strategy.
At its peak, the bot was among the network’s largest gas consumers and was estimated to have cost other traders roughly $60 million annually in unfavorable trades while generating tens of millions in profits for its operator.
The June exploit began weeks earlier when the attacker deployed 66 fake token contracts that closely mimicked legitimate assets such as WETH, USDC, and USDT.
These were paired with fabricated liquidity pools engineered to appear as profitable sandwich opportunities.
JaredfromSubway.eth’s bot, optimized for rapid detection of mempool activity, repeatedly interacted with the deceptive contracts.
In doing so, it granted token-spending approvals to the malicious smart contracts.
These approvals were never revoked and accumulated across multiple transactions.
Once sufficient approvals were in place, a tripwire smart contract controlled by the attacker activated.
A single coordinated transaction then swept the bot’s wallets, extracting approximately $7.5 million in Ether and stablecoins.
Chainalysis tracked the subsequent flow using its on-chain tools: the attacker quickly swapped the stablecoins for Ether to reduce freeze risk from issuers, distributed the funds across several wallets, and routed them through Tornado Cash. No recoveries have been reported.
The attack succeeded because the bot granted spending permissions to contracts it never properly vetted.
Chainalysis notes that the operator prioritized speed over basic due diligence, such as checking contract verification status on Etherscan or reviewing deployment history.
This oversight allowed the fake pools to function as an effective honeypot.
The incident carries broader lessons for DeFi participants.
Token approvals function as ongoing permissions that can remain active indefinitely unless explicitly revoked.
Many users—retail traders and automated systems alike—grant broad or unlimited spending rights to contracts they have never reviewed.
Chainalysis highlights the risks of interacting with newly deployed or unverified liquidity pools that lack an established track record.
The firm recommends regularly revoking unused approvals and exercising caution with unfamiliar contracts before approving any spending rights.
Even highly optimized MEV bots are not immune to deception when security hygiene is neglected.
The JaredfromSubway.eth case demonstrates that the same on-chain mechanisms enabling profitable trading can be weaponized by attackers who understand how these systems operate. As Chainalysis observes, protecting against such exploits requires consistent attention to approvals and contract verification, practices that apply equally to sophisticated operators and everyday DeFi users.