JaredFromSubway, a prominent maximal extractable value (MEV) bot on Ethereum, suffered losses exceeding $15 million after falling victim to a sophisticated token approval exploit, according to security firm Blockaid.
The bot, which had accumulated millions in profits over several years by executing sandwich attacks on unsuspecting traders, became the target of attackers who deployed fake profitable trading opportunities. The scheme involved creating counterfeit tokens and liquidity pools designed to appear exceptionally lucrative. When the bot's automated systems detected what appeared to be arbitrage opportunities, it automatically granted token approvals to malicious smart contracts, inadvertently surrendering control of its holdings.
Attackers subsequently drained the bot's assets—including WETH, USDC, and USDT—through standard transferFrom function calls. A single withdrawal transferred approximately $7.5 million, with the total loss across all connected wallets reaching over $15 million. The incident underscores how automated trading systems optimized for profit extraction remain vulnerable to sophisticated social engineering attacks, regardless of their historical success.