The collapse of a giant: MEV bot Jaredfromsubway.eth lost $7.5 million in a sophisticated attack

One of the most famous and aggressive MEV bots on the Ethereum network, Jaredfromsubway.eth, has fallen victim to a targeted hacker attack. As a result of the incident, the attacker withdrew assets worth over $7.5 million. This case is not just another hack, but a demonstration of a new level of complexity in attacks on automated trading systems.
How it happened: a trap on fake pools
Analysis shows that the attack was not a typical phishing scheme or exploitation of a vulnerability in the bot's own smart contract. Instead, the attacker created dozens of fake token contracts, skillfully disguised as popular liquid assets: WETH, USDC, and USDT. These tokens were embedded in fake liquidity pools that mimicked profitable trading opportunities.
The automated system of Jaredfromsubway.eth, programmed to seek such opportunities for conducting sandwich attacks, took the bait. The bot was forced to grant the attacker's auxiliary contracts permission to spend real assets. After receiving approval, the hacker activated all the embedded backdoors in a single transaction and instantly drained the bot's wallet. Part of the stolen funds has already been spotted in the Tornado Cash mixer, complicating their tracking.
Scale of the threat and consequences
This incident highlights the vulnerability of even the most dominant players in the MEV space. By my estimates, Jaredfromsubway.eth was so active that it accounted for about 70% of all sandwich attacks on the Ethereum network in recent months. For comparison, the total annual damage to traders from such manipulations is approximately $60 million, with between 60,000 and 90,000 such operations recorded per month.
My analysis: This attack is a wake-up call for the entire MEV sector. It shows that attackers are beginning to use the bots' own algorithms against them, creating "liquidity traps." Owners and developers of MEV bots need to radically rethink the logic of pool and contract verification to avoid falling victim to their own automation. The loss of $7.5 million for such a giant is a serious blow, but the main lesson here is for the entire ecosystem: trust in automated systems must be backed by multi-layered protection against social engineering at the code level.