After a $7.5 Million Loss, Can Ethereum Finally Fix MEV?

The operator behind Jaredfromsubway.eth, one of Ethereum’s most prolific automated trading bots, offered a 50% white hat bounty on June 22 after a hacker drained more than $7.5 million from the bot’s wallet using a carefully constructed on-chain honeypot. It proves that bots that exploit regular traders can also be a target for cyber criminals.

The bot’s operator, known by the on-chain identity ae13, posted a message directly to the attacker: “Well played. We are willing to offer a 50% white hat bounty if you return the ETH to us in the next 48 hours. We will pursue all available legal and law-enforcement options.” The bounty asks for the return of 2,150 ETH to a specified address.

How the exploit happened

Security firm Blockaid discovered the hack and stated that the attack was one where “attacker-controlled contracts tricking an automated MEV execution system into granting token approvals, later used to drain funds.”

According to Odaily, the attacker had been laying traps for weeks. In this attack, the attacker deployed 66 false token contracts and liquidity pools that were used to impersonate real tokens like WETH, USDC, and USDT. These pools generated artificial price spreads that looked like profitable arbitrage opportunities to the bot’s automated systems.

🚨Community Alert:
Blockaid Exploit Detection system detected an exploit involving the @jaredsmev MEV bot on Ethereum.
The incident resulted from attacker-controlled contracts tricking an automated MEV execution system into granting token approvals, later used to drain funds.…

— Blockaid (@blockaid_) June 20, 2026

In executing trades on these pools, the bot approved token permissions for contracts under the control of the attacker, and these permissions were never withdrawn. Within one transaction, the attacker was able to execute a backdoor mechanism to steal from the bot’s portfolio.

According to PeckShield Alert, the attacker has stolen 1,474.58 WETH, 2.87 million USDC, and 2 million USDT. The attacker has converted portions of these tokens to 4,400 ETH and has already moved 1,000 ETH through Tornado Cash, a mixing service used to obscure transaction trails.

The bot that became a target

The bot Jaredfromsubway.eth managed to establish itself as one of the top sandwich attack bots on the Ethereum blockchain. A sandwich attack works by placing buy and sell orders around a victim’s pending transaction, profiting from the price movement the victim’s trade creates.

The bot’s scale was enormous. Research data cited by Odaily showed that between November 2024 and October 2025, Ethereum saw between 60,000 and 90,000 sandwich attacks per month. Roughly 70% of those were linked to Jaredfromsubway.eth’s strategy system. At peak activity, the bot generated hundreds of thousands of dollars in daily revenue. It once front-ran a transaction by Ethereum co-founder Vitalik Buterin.

The operator pointed out the irony of the situation in another post on X: “Got sandwiched myself. $15M drained in a reverse honeypot. Fake pools, fake tokens, my own bot approved the trap.”

The example of Jaredfromsubway.eth is an interesting case where two issues in the field of crypto security overlap: bots that earn money from small investors and hackers that exploit these bots for even greater payoffs.

Exploitation of cryptocurrency platforms and automation systems has risen exponentially. The hacking attacks that North Korea-based criminal entities made on DeFi platforms amounted to more than $1 billion based on Chainalysis figures. It is common practice for companies to pay white-hat bounties after theft; however, their success rates have not always been high. In January 2022, Qubit Finance offered a bounty of $2 million to retrieve their $78 million hack. The attacker did not accept the offer.

Mitigating some of the negative impacts of MEV

Ethereum users often grant smart contracts permission to spend tokens on their behalf through a mechanism known as a token approval. Instead of approving every individual transaction, users frequently authorize a decentralized exchange or application to access a large amount—or even an unlimited amount—of a token. This improves convenience but creates a security risk if the approved contract is compromised or malicious. Approvals remain active until they are explicitly revoked, even if the user disconnects their wallet from the application.

This example also draws attention to the impact of maximal extractable value (MEV) on the Ethereum blockchain. MEV is a type of profit earned from controlling the order, inclusion, or exclusion of transactions within the block. Specialized traders known as “searchers” run automated bots to find profitable opportunities in pending transactions, such as arbitrage, liquidations, or front-running trades. According to Ethereum’s documentation, “generalized frontrunners” are bots that monitor the mempool, copy profitable transactions, substitute the destination address with their own, and submit a new version before the original transaction.

Earlier, Cryptopolitan reported that crypto investor and commentator David Gokhshtein said, “We shouldn’t be happy about this; no one should celebrate … but if you’ve ever been sandwiched by this … I’m pretty sure you’re not upset about this news.”

A lot of professional searchers tend to utilize private relay networks, such as Flashbots to route transactions as it helps to avoid the risks of competing bots copying or frontrunning their strategies. The Flashbots project was launched as a solution for mitigating the negative impact of MEV extraction while providing infrastructure for searchers and validators.

Labeling post-theft negotiations as “white hat bounties” has faced backlash from the security community.

Whether the Jaredfromsubway.eth attacker will accept the 50% offer remains unclear. With 1,000 ETH already routed through Tornado Cash, the clock is running against the 48-hour deadline.