JaredFromSubway Offers 50% Bounty After MEV Bot Drain

JaredFromSubway has offered the exploiter a “50% bounty” after its Ethereum MEV bot was drained through an approval-based counter-MEV attack.

The new recovery message marks a major shift from the earlier bounty posture, turning the incident into a direct split-return negotiation with the attacker. A 50% offer means the exploiter could keep half the proceeds if funds are returned under the proposed terms, though no public onchain return had confirmed acceptance.

Well played. We are willing to offer a 50% white hat bounty if you return 2150 ETH to this address in the next 48 hours, otherwise we will pursue all available legal and law-enforcement remedies.

The exploit had already been tied to a suspected dangling-approval route, after JaredFromSubway’s MEV bot contract appeared to lose more than 4,400 ETH from 0x3e37f4A10d771Ba9dE44b6d301410b1BEdeA65d0. Etherscan now labels that address as “JaredFromSubway Exploiter 1”.

The key exploit transaction remains 0x43ee75697d731f39f0e3c68fe6937715f2327563f6cb02fb0e9d454fbd634e6d, which unwrapped 4,424 WETH into 4,424 ETH, worth about $7.65 million at the transaction price.

Funds Split After WETH Unwrap

After the WETH conversion, the exploiter address sent large ETH chunks across multiple recipient wallets. One transfer moved 1,423 ETH to an address later labeled “JaredFromSubway Exploiter 6,” while three other transactions sent 1,000 ETH, 1,000 ETH, and 1,000 ETH to separate addresses in the same cluster.

The split makes recovery more complicated. A bounty offer can still work if the attacker controls the destination wallets, but fragmented funds give investigators more addresses to track and exchanges more routes to screen.

JaredFromSubway also appears to have moved quickly to reduce remaining approval exposure. A later transaction from jaredfromsubway.eth called the MEV Bot 2 contract and set a WETH approval to zero for 0xE93e8AA4e88359dACf33c491Cf5bD56eB6C110c1. That revocation transaction is 0x9f4dafa20387964cdfc8dc2b26e927f660f5fb79edde20dfff862c574da18e35.

Approval Trap Turned Bot Automation Against It

The incident was not a normal retail-wallet phishing case. The attacker appears to have targeted the bot’s automated execution logic by creating fake wrapper tokens and liquidity paths that looked profitable enough for the MEV system to interact with.

Once the bot granted approvals to attacker-controlled contracts, those permissions could be used to pull assets from the bot contract. The exploit path has been described as a dangling-approval trap because the approval remained available after the bait transaction, turning an expected trading route into a drain path.

That makes the case especially unusual. JaredFromSubway is best known for automated MEV activity on Ethereum, including sandwich trading and fast execution across decentralized exchanges. In this incident, the same speed and automation that make MEV profitable became the attack surface.

The 50% bounty leaves the case in a negotiation phase. The exploit txid anchors the main drain, the later revocation txid shows cleanup activity from jaredfromsubway.eth, and the next measurable update is whether any portion of the funds moves back from the labeled exploiter wallets.

The post JaredFromSubway Offers 50% Bounty After MEV Bot Drain appeared first on Crypto Adventure.