The setup was built over several weeks, where the attacker deployed dozens of fake token contracts and fake liquidity pools – a term for a pile of tokens locked on a decentralized exchange – that looked like profitable trades. Some mimicked familiar assets such as wrapped ether (WETH), and dollar-pegged stablecoins USDC and USDT.
That bait did what it was supposed to do. Jaredfromsubway.eth’s bot saw what looked like MEV opportunities and generated approvals for attacker-controlled helper contracts to spend tokens on its behalf. Those approvals were used immediately as part of the trade in earlier tests, but later, the attacker created routes where the approvals stayed open.
This left the attacker with standing permission to pull funds. And they used those open approvals to transfer WETH, USDC and USDT out of Jaredfromsubway.eth’s contracts, draining more than $7.5 million.
Some of the stolen funds were later sent to Tornado Cash, onchain data reveiwed by CoinDesk showed.
The irony was hard to miss, meanwhile.
Jaredfromsubway.eth has long been one of the most visible symbols of toxic MEV on Ethereum. Sandwich attacks cost Ethereum traders about $60 million a year, with 60,000 to 90,000 attacks per month between November 2024 and October 2025.