JaredFromSubway MEV bot hacked in $15 million crypto theft

The JaredFromSubway Ethereum MEV (Maximal Extractable Value) bot suffered a $15 million loss after an attacker manipulated the opportunity-detection logic by creating fake cryptocurrency trading opportunities.

The drain was detected on Saturday by blockchain security firm Blockaid, and today, JaredFromSubway confirmed that the attacker used fake pools and tokens to trick the bot into approving helper contracts.

According to Blockaid, the attacker deployed contracts designed to appear as profitable MEV opportunities to JaredFromSubway's automated execution system.

The bot automatically analyzed routes and trade opportunities that seemed financially rewarding. It then generated the transactions needed to execute them, granting ERC-20 token approvals to contracts controlled by the attacker.

It appears that the attacker planned the heist carefully, as early transactions served as harmless tests to help confirm the bot’s action routines. Later, the threat actor changed the route so that the allowance was not consumed or revoked after the bot granted approvals.

The attacker accumulated valid spending permissions without immediately using them, reaching up to 92.1614 WETH approved to an attacker-controlled helper contract.

Finally, the attacker used the open approvals to withdraw WETH, USDC, and USDT from the JaredFromSubway MEV bot contract via the transferFrom function.

Karma slaps back

MEV bots are ultra-fast automated trading systems that scan Ethereum and other blockchains for opportunities to make money by exploiting the order and timing of transactions before they are included in a block.

JaredFromSubway is a private MEV operation with no publicly available code, known as one of Ethereum's most aggressive and visible “sandwich”-bot operations.

In a sandwich attack, the bot detects a user's pending trade, places a buy order immediately before it, and then sells immediately afterward, profiting from the price movement caused by the victim's transaction.

The practice is controversial because it often results in worse prices for regular traders while generating profits for the bot operator.

Initially, JaredFromSubway offered a $3 million bounty to the attacker for the full return of the stolen funds, promising no further action would be taken.

After receiving no response, JaredFromSubway increased the bounty to $7.5 million for the return of just 50% of the stolen amount, with $1 million to be given to the community.

JaredFromSubway is also negotiating with "a white-hat hacking group" on the stolen $15 million but there is no confirmation of a deal yet.