An Ethereum MEV bot linked to JaredFromSubway experienced a significant setback of $15 million following a breach where an attacker exploited the system by creating fraudulent cryptocurrency trading opportunities.
The security breach was identified on Saturday by blockchain security experts at Blockaid, with JaredFromSubway subsequently confirming that the perpetrator manipulated the bot by introducing fake pools and tokens to deceive it into authorizing helper contracts.
Blockaid revealed that the attacker strategically deployed contracts designed to mimic profitable MEV opportunities to deceive JaredFromSubway’s automated execution system.
The bot autonomously assessed potential trade routes that appeared lucrative and generated the necessary transactions to execute them, granting approvals to ERC-20 tokens controlled by the attacker.
Evidence suggests that the attacker meticulously orchestrated the attack, initially conducting harmless trial transactions to validate the bot’s response mechanisms. Subsequently, the threat actor altered the route to ensure that the approvals were not utilized or revoked after being granted by the bot.
Through this method, the attacker obtained valid spending permissions without immediate utilization, accumulating up to 92.1614 WETH approved to a helper contract under their control.
Ultimately, the attacker leveraged these approvals to withdraw WETH, USDC, and USDT from the JaredFromSubway MEV bot contract using the transferFrom function.
MEV bots are high-speed automated trading systems that scour Ethereum and other blockchains for profit-making opportunities by exploiting transaction order and timing before they are confirmed in a block.
JaredFromSubway operates as a secretive MEV entity, with proprietary code and recognized as one of Ethereum’s most aggressive “sandwich” bot operations.
In a sandwich attack scenario, the bot identifies a user’s impending trade, executes a buy order just before it, and sells immediately after, capitalizing on the price fluctuations triggered by the victim’s transaction.
This practice has sparked controversy due to its tendency to disadvantage regular traders by offering unfavorable prices while generating profits for the bot operator.
Initially, JaredFromSubway offered a $3 million reward to the attacker for the complete return of the stolen funds, pledging no further repercussions.
Following a lack of response, JaredFromSubway upscaled the reward to $7.5 million for the return of 50% of the stolen amount, with $1 million designated for community benefit.
JaredFromSubway is currently in discussions with a “white-hat hacking group” regarding the recovery of the $15 million sum, although no agreement has been finalized as yet.
Security teams record 54% of successful breaches and only flag 14%. The remaining threats pass through undetected within your system.
Discover how breach and attack simulations can fortify your SIEM and EDR rules to prevent threats from slipping past detection by reading the Picus whitepaper.
Access the whitepaper
EU Takes Action Against Instagram and Facebook for Violating Illegal Content Rules
Warning: Facebook Creators Face Monetization Loss for Stealing and Reposting Videos
Facebook’s New Look: A Blend of Instagram’s Style
Facebook Compliance: ICE-tracking Page Removed After US Government Intervention
Facebook and Instagram to Reduce Personalized Ads for European Users
InstaDub: Meta’s AI Translation Tool for Instagram Videos
Reclaim Your Account: Facebook and Instagram Launch New Hub for Account Recovery
Meta discontinues Messenger apps for Windows and macOS
Subscribe to our weekly newsletter below and never miss the latest News or an exclusive offer.
