The largest Ethereum MEV bot lost $7.5 million in a sophisticated attack

The well-known Ethereum MEV bot Jaredfromsubway.eth fell victim to a sophisticated attack, losing over $7.5 million. The incident has revealed a new dimension of vulnerabilities in automated maximum extractable value (MEV) strategies.
How the Attack Was Carried Out
Security experts from Blockaid classify this case not as a classic phishing attack or a standard smart contract vulnerability. The attacker operated through dozens of fake token contracts disguised as popular assets — WETH, USDC, and USDT. These contracts were linked to fake liquidity pools that mimicked profitable trading opportunities.
The automated system of the MEV bot, programmed to seek out such arbitrage opportunities, was deceived and granted the attacker's auxiliary contracts permission to spend real assets. As a result, in a single transaction, the attacker activated all backdoors and withdrew the funds. Part of the stolen coins has already been sent to the Tornado Cash mixer.
Scale of the Threat and the Role of Jaredfromsubway.eth
This bot has long been a dominant player in the MEV market. According to my data, annual trader losses in Ethereum from sandwich attacks amount to approximately $60 million. From November 2024 to October 2025, the network recorded between 60,000 and 90,000 such operations monthly, with roughly 70% of them linked specifically to Jaredfromsubway.eth.
Interestingly, in June 2024, this same bot was the largest consumer of gas on the Ethereum network, highlighting its aggressive strategy.
My analysis: This incident is a serious wake-up call for the entire MEV community. It demonstrates that even the most experienced and technically equipped bots are vulnerable to attacks that exploit not code, but their operational logic. Creating fake pools and tokens represents an evolution of phishing at the smart contract level, and in the near future, we will likely see more such attacks on automated systems.