The hunter became the hunted, and the hunter was holding a fortune in stolen ETH when it happened.

JaredFromSubway.eth, the most active and most hated MEV or 'front running' bot on Ethereum - it works by spotting places where it can insert itself ahead of a pending trade, cuts in line ahead by paying higher gas fees, buying the tokens that otherwise should have gone to you, instead forcing your order to be filled with higher priced tokens. Then, once you've overpaid for your coins, it will immediately sell the ones they bought at the new higher price. While the amount earned each time is often small, multiply that by hundreds of transactions every hour and this practice adds millions in additional costs to traders every year. 

But it was the front runners who took a hit over the weekend by an attacker built an elaborate honeypot designed to look exactly like the kind of profit opportunity the bot is wired to chase. Security firm Blockaid disclosed the exploit on Saturday, and the on-chain trail tells a story that has the entire crypto community grinning ear to ear. The bot did what it was built to do. The attacker just made sure it did it on the wrong contracts. For anyone who has ever lost a few cents to a sandwich attack while trying to swap on Uniswap, this might be the most satisfying news of the year.

There is no comment from the operator beyond the bounty offer, and there is unlikely to be one any time soon.

How a Hunter Built a Better Trap

The attacker deployed 66 fake token contracts, each one mimicking the look and interface of real assets like WETH, USDC, and USDT, and paired each one with a sham liquidity pool. The routes were carefully designed so that the bot's automated decision logic would flag the contracts as a legitimate sandwich opportunity. The first few baits worked exactly the way a normal MEV trade would. Small approvals went in, the swap closed cleanly, and the approvals were consumed by the trade. The bot's risk model had no reason to flinch.

Then the trap snapped. On the larger bait transactions, the attacker had structured the swaps so that the approvals stayed open instead of being spent on a real trade. By the time anyone was watching, JaredFromSubway had quietly granted token-spending permissions on USDC, USDT, and WETH to a series of attacker-controlled helper contracts. The bot was not hacked in the traditional sense. There was no smart contract bug, no compromised private key, no leaked seed phrase. The exploit was a behavioral one, and the bot was tricked into giving permission the same way it gives permission every day, just to the wrong wallet.

Somewhere Between $7 and $15 Million in ETH, gone

Once the approvals were in place, the attacker drained the bot's working capital and swapped most of it into roughly 4,427 ETH, worth about $7.7 million at the time of the move. On-chain analysts at HTX and other tracking firms watched as 1,000 ETH of those funds were immediately routed into Tornado Cash, the mixer that was sanctioned by the US Treasury before being delisted from the sanctions list earlier this year. The rest of the funds are still being tracked across wallets, with several exchanges already flagging deposit addresses linked to the attacker. Some reports place the final loss higher, with BleepingComputer putting the figure closer to $15 million once every approval is added up.

JaredFromSubway's operator, who has never publicly identified themselves, did not stay quiet. Within hours of the drain, they used an on-chain input data message to offer the attacker a bounty of 2,150 ETH, close to half of the stolen funds, for the return of the rest within 48 hours. The operator said no further action would be taken if the funds came back. The clock started ticking and as of this writing nothing had been returned. Whatever the final number, this is the largest single loss for a private MEV operation in Ethereum's history, and the bounty offer is the first time the JaredFromSubway team has spoken publicly through anything other than block transactions.

The Cosmic Joke Nobody Misses

There is no easy way to feel sorry for the operator of a bot that has spent years skimming value out of every retail user dumb enough to swap with default slippage. The accused attacker has effectively run a counter-MEV operation, a tactic that has been theorized in academic papers for years but rarely executed at this scale. By engineering opportunities that looked profitable but were actually designed to bait approvals, the attacker turned the bot's strongest features, speed and aggression, into its biggest vulnerability. It is the closest thing crypto has had to poetic justice this year, and one of the cleanest examples of the predator becoming the prey since the genre was invented.

The bigger lesson, for any sandwich operator or other automated arbitrage system on Ethereum, is that the meta is shifting. Counter-MEV is no longer just research, and the approvals logic that every bot uses to interact with new contracts has become part of the attack surface. Operators who spent years optimizing for raw speed and gas now also have to optimize for trust. JaredFromSubway has been quiet on chain since the drain, the bounty clock is still running, and the community is still laughing. Somewhere out there a very patient honeypot designer is watching $7.7 million in fresh wallets settle in. Whether the bounty gets accepted or not, the message has already been delivered to every other MEV bot operator on the network. Greed has a price, and it is finally being paid in the same currency it was used to extract.