The setup was built over several weeks, during which the attacker deployed dozens of fake token contracts and fake liquidity pools – a term for a bunch of tokens locked on a decentralized exchange – that looked like profitable trades. Some mimic familiar assets such as wrapped ether (WETH) and dollar-pegged stablecoins USDC and USDT.
This bait did what it was supposed to do. Jaredfromsubway.eth’s bot saw what looked like MEV opportunities and generated approvals for attacker-controlled support contracts to spend tokens on its behalf. These trusts were used immediately as part of exchanges in earlier tests, but later the attacker created routes where the trusts remained open.
This left the attacker with permanent permission to withdraw funds. And they used these open approvals to transfer WETH, USDC, and USDT from Jaredfromsubway.eth contracts, draining over $7.5 million.
A portion of the stolen funds was then sent to Tornado Cash, according to on-chain data reviewed by CoinDesk.
Meanwhile, it was hard not to notice the irony.
Jaredfromsubway.eth has long been one of the most visible symbols of toxic MEV on Ethereum. Sandwich attacks cost Ethereum traders around $60 million per year, with 60,000 to 90,000 attacks per month between November 2024 and October 2025.
