TL;DR
- Million-dollar loss: The JaredfromSubway.eth bot suffered a theft of at least $7.5 million in Ethereum and stablecoins.
- Attack strategy: An unknown actor deployed 66 fake token contracts to exploit the bot’s spending approvals.
- Destination of funds: The stolen assets were converted to ETH and transferred to the Tornado Cash mixer to obscure their trail.
This Friday, it was confirmed that the primary Ethereum sandwich attacker, identified by the domain JaredfromSubway.eth, lost more than $7.5 million dollars in a honeypot exploit or liquidity trap between June 20 and 21, 2026.
This bot had been operating on the network since 2023, detecting pending transactions in Ethereum’s public temporary memory or mempool. Information from Chainalysis reveals that the software’s strategy consisted of executing buy orders just before ordinary users to inflate prices, immediately selling the assets afterward to capitalize on the difference in technical arbitrage operations.
The fake contracts trap
The anonymous attacker designed an ecosystem with 66 falsified token contracts that simulated real assets from the decentralized market. The automated bot identified these funds as legitimate trading opportunities and proceeded to grant token-spending approvals to the smart contracts involved—a routine step that the trading system did not subsequently revoke.
The created token pairs lacked real value and were designed exclusively to accumulate permissions from the affected wallet. Once the attacker gathered the necessary authorizations, a tripwire contract was activated that emptied the bot’s holdings in a single coordinated transaction, stealing deposits in Ether and stablecoins.
Data from Chainalysis suggests that the person responsible for the exploit immediately transformed all stablecoins into Ether. The technical report notes that this conversion was executed within a few minutes to prevent the issuing companies of those crypto-assets from freezing the balances of the addresses under their control.
Ethereum’s most notorious sandwich attacker just lost $7.5 million to a honeypot. Read our latest research explaining the theft, where the money’s gone, and how you can avoid getting hacked.https://t.co/5AaXDCwzGI pic.twitter.com/a72CFTZ8Or
— Chainalysis (@chainalysis) June 26, 2026
The destination of the capital in Tornado Cash
The blockchain analytics firm used its specialized Reactor tool to track the stolen assets during the days following the incident. The investigation showed that the attacker strategically split the funds across multiple digital wallets before sending them to Tornado Cash, a decentralized mixing protocol used to break the tracking link on the blockchain.
The report concludes that the bot presented a critical vulnerability due to the accumulation of unlimited contract approvals that remained active indefinitely. Chainalysis analysts determined that the system prioritized execution speed over security filters, omitting basic verifications on block explorers like Etherscan that would have revealed the fraudulent nature of the contracts used. At the time of closing this report, no part of the $7.5 million dollars had been recovered by the administrators of the arbitrage bot.
