Ethereum's Top Sandwich Bot Drained for $7.5M in 66-Contract Trap

Fake Tokens Reversed the Sandwich

A sandwich trade begins when a bot detects a user’s pending swap in Ethereum’s public transaction flow. The bot buys the same asset first, pushing the price against the user, then sells after the user’s transaction executes at a worse rate.

The strategy is one form of maximal extractable value, or MEV, the profit available from choosing the order in which transactions enter a block. Ethereum’s documentation describes sandwich trading as harmful to users because it increases slippage and worsens execution.

The June 20 attacker appears to have exploited the bot’s willingness to engage with unfamiliar contracts. Blockaid’s analysis said the attacker created 66 fake tokens and seeded transactions that looked profitable to sandwich.

When JaredFromSubway interacted with the decoy assets, the bot generated approvals for contracts controlled by the attacker. An approval is an Ethereum permission that lets a designated contract transfer a specified token balance on an owner’s behalf.

That mechanism is routine in decentralized finance. Users approve routers, exchanges and lending protocols so applications can complete swaps or deposits without requiring a separate transfer first.

It also creates a direct loss path when the approved spender is malicious. The attacker did not need the bot’s private key after the vulnerable permissions existed. The approved contracts could call token transfer functions against the bot-linked address.

The attack therefore resembled a honeypot built for an automated predator. JaredFromSubway saw transactions it expected to exploit, but those trades existed to manipulate its contract behavior rather than to execute a genuine user swap.

The same approval model has produced losses in consumer wallets and DeFi systems, although the scale here came from the bot’s concentrated inventory. Daily Crypto Briefs previously covered how a Gnosis Pay module exploit drained 41 Safes, another case in which programmable permissions turned a narrow contract flaw into direct asset transfers.

On-Chain Transfers Confirm $7.5M

The strongest independently visible figure is about $7.5 million. One Etherscan record shows the stablecoin transfers, while a second shows 1,474.58 WETH moving from the bot-linked contract.

The operator later wrote that the loss was closer to $15 million and offered a $1 million return bounty. The larger claim could include other addresses, unrealized positions or transfers not yet connected to the confirmed attack path, but no complete accounting was published.

Daily Crypto Briefs therefore rates the $15 million figure unsupported at publication. The verified transactions substantiate the roughly $7.5 million estimate reported by Blockaid and CoinDesk, while the remainder has not been independently traced.

On-chain researchers said the attacker converted much of the stolen inventory into about 4,400 ETH. Roughly 1,000 ETH was then sent through Tornado Cash, a privacy protocol that breaks the public link between depositing and withdrawing addresses.

Moving funds through a mixer does not erase Ethereum’s transaction history, but it makes attribution and recovery substantially harder. Investigators can still follow timing, amounts and related wallets, yet the withdrawal destination is not directly exposed by the mixer contract.

The drain did not compromise Ethereum’s consensus, WETH, USDC or USDT. It exploited the bot’s application logic and approvals, a distinction that matters because holders of those assets were not automatically placed at risk by the same transactions.

The result also does not make sandwich trading disappear. Other searchers can compete for the same opportunities, and MEV infrastructure remains embedded in Ethereum’s block-building market.

Automation is expanding beyond trading bots. A recent Daily Crypto Briefs analysis found that AI agents and other automated systems account for a growing share of on-chain activity, increasing the importance of simulation, contract allowlists and transaction-level controls before software can move funds.

MEV Bots Face a New Adversary

The attack introduces a different risk calculation for MEV operators. A strategy designed around adversarial trading must now assume that the apparent victim transaction may itself be an adversarial input.

Safer systems can restrict interactions to reviewed tokens and routers, simulate complete transaction bundles, cap approvals, revoke unused permissions and limit the amount held in an execution contract. Those controls reduce the available trading universe or add latency, which can weaken the speed advantage that makes MEV profitable.

That trade-off is sharper for JaredFromSubway because the operation is optimized to scan widely and act quickly. A strict allowlist would block many decoys, but it could also exclude newly created pools where early MEV opportunities are largest.

Token standards may eventually reduce some approval risk. Ethereum developers have proposed designs that replace or constrain the familiar ERC-20 allowance pattern, including a privacy-native token draft without public approve and allowance functions. Existing tokens and DeFi applications, however, still depend heavily on the current model.

The event is also likely to encourage copycats. Once a profitable bot’s transaction logic becomes observable, attackers can test variations of the same decoy-contract technique against other automated searchers.

Crypto sentiment remained in Extreme Fear during the weekend incident. Alternative.me’s Crypto Fear and Greed Index stood at 23 on June 20.

The next evidence to watch is a full address-level accounting from the bot operator, any Blockaid update on the 66-contract cluster and whether exchanges or stablecoin issuers identify recoverable funds before more ETH enters privacy tools. Until then, the confirmed story is narrower than the operator’s $15 million claim but still decisive: a bot built to sandwich Ethereum users lost roughly $7.5 million after its own automated approvals were weaponized.