A highly active Ethereum trading bot operating under the name jaredfromsubway.eth lost roughly $7.5 million after an attacker manipulated it into approving malicious contracts, according to onchain data. Security firm Blockaid said the attacker later converted the stolen funds into about 4,427 ETH, routing 1,000 ETH through Tornado Cash.
The exploit resulted in a single transaction that transferred 1,474.58 WETH, about 2.87 million USDC, and nearly 2 million USDT from the bot’s wallet. The bot, known for executing “sandwich” strategies that capture price differences around user trades, had been among the most active entities on Ethereum.
Exploit avoided private key compromise
Blockaid said the breach did not involve phishing or stolen private keys. Instead, the attacker used a more subtle method, tricking the bot into granting token approvals that later enabled withdrawals.
Over several weeks, the attacker deployed 66 counterfeit token contracts designed to mimic WETH, USDC, and USDT. These were paired with fake liquidity pools that appeared profitable to the bot’s automated logic. As a result, the system approved helper contracts that ultimately gained permission to move real assets.
Coordinated drain executed after testing phase
According to a forensic analysis by pseudonymous developer Banteg, the attacker tested the setup with low-value trades that behaved normally. The system then switched behavior during higher-value transactions.
In the final phase, a coordinator contract triggered simultaneous withdrawals across 66 linked contracts, draining funds from the bot’s existing token allowances and consolidating them into the attacker’s wallet.
Funds laundered through Ethereum upgrades and mixers
Blockchain tracker Lookonchain reported that the attacker swapped the stolen assets and began routing proceeds through anonymizing services. The receiving wallet was identified as an EIP-7702 delegated account, a feature introduced in Ethereum’s 2025 Pectra upgrade that allows wallets to execute contract-like code.
The use of this newer account structure highlights how recent network upgrades can introduce unexpected attack surfaces. Separate analysis has suggested that a large share of EIP-7702 delegations has already been linked to automated malicious scripts.
Impersonation account adds confusion
An X account using the same jaredfromsubway.eth identity claimed losses of $15 million and offered a $1 million reward for information. However, onchain analysts flagged the account as an impersonator, citing frequent name changes and unrelated promotional activity.
One of Ethereum’s most active bots
The targeted bot has been a dominant presence on Ethereum since early 2023, executing more than 85,000 transactions and at times ranking as the network’s largest daily gas spender. It previously drew attention for front-running a trade by Ethereum co-founder Vitalik Buterin, deploying over $1.14 million in WETH to secure the position.
Broader implications for traders
The incident underscores a shift in attack strategies, where exploiter tactics focus on abusing token approval mechanisms rather than stealing keys or directly breaking smart contracts.
For traders and developers, the breach highlights the risks tied to automated systems that rely on external contract interactions. Regularly reviewing and revoking unused token allowances has emerged as a critical safeguard, as open permissions were the key vulnerability exploited in this case.
Meanwhile, the use of Tornado Cash to obscure the funds complicates recovery efforts. A March 2026 U.S. Treasury report noted that while such services have legitimate privacy uses, they remain a common tool for laundering stolen digital assets, including billions linked to state-backed groups in recent years.
The attacker’s identity remains unknown, and it is unclear whether other automated trading systems were affected as onchain investigations continue.
Protect your assets from sophisticated exploits—learn essential safeguards in crypto safety standards every trader should know today.
Disclaimer: The content on this page is provided for general informational purposes only and does not represent the views or financial advice of Toobit. We make no guarantees regarding the accuracy or completeness of this information and shall not be held liable for any errors, omissions, or outcomes resulting from its use. Investing in digital assets involves risk; users should independently evaluate their financial situation and the risks involved. For further details, please consult our Terms of Service and Risk Disclosure.
