JaredfromSubway.eth misplaced $7.5M in a honeypot exploit. Chainalysis tracked the funds straight to Twister Money. Right here’s what occurred.
JaredfromSubway.eth constructed a fame as Ethereum’s most prolific sandwich attacker. Since 2023, the bot raked in tens of thousands and thousands front-running unsuspecting merchants.
On June 20–21, 2026, the tables turned.
In line with a report by Chainalysis, an unknown attacker deployed a fastidiously engineered entice, draining a minimum of $7.5 million from the bot in a single coordinated strike.
Right here’s an in depth breakdown of the exploit and traced the place the stolen funds went.
Learn additionally:
The $17M MEV Bot Exploit That’s Shaking Ethereum Merchants
How the Sandwich Bot Operated on Ethereum
Ethereum’s mempool is publicly seen.
Anybody can see pending transactions earlier than they affirm on-chain. Moreover, JaredfromSubway.eth exploited this by recognizing trades within the mempool and inserting itself round them.
The bot would front-run a person’s order first, pushing the value up. Then it might back-run the identical commerce, pocketing the distinction.
Chainalysis describes this as a traditional arbitrage sandwich. The technique is controversial however broadly used throughout DeFi.
The bot monitored token swimming pools continually, trying to find worth imbalances it might exploit. When it discovered one, it moved quick. Pace was your entire edge, and it labored for years with out problem.
Ethereum’s most infamous sandwich attacker simply misplaced $7.5 million to a honeypot. Learn our newest analysis explaining the theft, the place the cash’s gone, and how one can keep away from getting hacked.https://t.co/5AaXDCwzGI pic.twitter.com/a72CFTZ8Or
— Chainalysis (@chainalysis) June 26, 2026
The Honeypot Exploit That Drained $7.5 Million
In line with Chainalysis, the attacker deployed 66 pretend token contracts designed to imitate official property.
The bot recognized these swimming pools as buying and selling alternatives and moved to execute its ordinary routine. A part of that routine concerned granting token-spending approvals to the good contracts it interacted with. These approvals had been by no means revoked.
The pretend contracts had no actual revenue inside them. The token pairs had been fabricated. The bot by no means caught on and stored granting approvals throughout a number of transactions.
As soon as sufficient permissions are amassed, a tripwire contract is activated. In addition to, it swept the bot’s actual holdings in a single transaction, pulling out a minimum of $7.5 million in ETH and stablecoins.
The attacker didn’t sit on the stablecoins for lengthy.
Leaving them in that type carried danger since issuers can freeze stablecoin balances. Inside minutes, in keeping with Chainalysis, the attacker transformed the whole lot into ETH to dam any potential freeze.
The place the Stolen Funds Went After the Assault
Chainalysis used its Reactor device to observe the stolen property after the exploit.
The attacker cut up the funds throughout a number of wallets over the next days. These transfers ultimately fed into Twister Money, a mixer that obscures the on-chain path of funds.
As of the Chainalysis report, no funds have been recovered.
The blockchain analytics agency pointed to 2 core vulnerabilities that the exploit uncovered. First, unrevoked token approvals don’t expire.
Each approval a pockets grants to a sensible contract stays energetic till the person manually cancels it. JaredfromSubway.eth had dozens of reside approvals pointing at malicious contracts with out ever realizing it.
Second, the bot by no means vetted the contracts it interacted with.
Chainalysis famous {that a} fundamental examine on Etherscan or a assessment of the deployment historical past might have flagged the 66 pretend contracts. The bot was constructed for pace, not verification, and that trade-off value it $7.5 million.