JaredfromSubway.eth lost $7.5M in a honeypot exploit. Chainalysis tracked the funds straight to Tornado Cash. Here’s what happened.
JaredfromSubway.eth built a reputation as Ethereum’s most prolific sandwich attacker. Since 2023, the bot raked in tens of millions front-running unsuspecting traders.
On June 20–21, 2026, the tables turned.
According to a report by Chainalysis, an unknown attacker deployed a carefully engineered trap, draining at least $7.5 million from the bot in a single coordinated strike.
Here’s a detailed breakdown of the exploit and traced where the stolen funds went.
Read also:
How the Sandwich Bot Operated on Ethereum
Ethereum’s mempool is publicly visible.
Anyone can see pending transactions before they confirm on-chain. Additionally, JaredfromSubway.eth exploited this by spotting trades in the mempool and inserting itself around them.
The bot would front-run a user’s order first, pushing the price up. Then it would back-run the same trade, pocketing the difference.
Chainalysis describes this as a classic arbitrage sandwich. The strategy is controversial but widely used across DeFi.
The bot monitored token pools constantly, hunting for price imbalances it could exploit. When it found one, it moved fast. Speed was the entire edge, and it worked for years without issue.
Ethereum’s most notorious sandwich attacker just lost $7.5 million to a honeypot. Read our latest research explaining the theft, where the money’s gone, and how you can avoid getting hacked.https://t.co/5AaXDCwzGI pic.twitter.com/a72CFTZ8Or
— Chainalysis (@chainalysis) June 26, 2026
The Honeypot Exploit That Drained $7.5 Million
According to Chainalysis, the attacker deployed 66 fake token contracts designed to mimic legitimate assets.
The bot identified these pools as trading opportunities and moved to execute its usual routine. Part of that routine involved granting token-spending approvals to the smart contracts it interacted with. Those approvals were never revoked.
The fake contracts had no real profit inside them. The token pairs were fabricated. The bot never caught on and kept granting approvals across multiple transactions.
Once enough permissions are accumulated, a tripwire contract is activated. Besides, it swept the bot’s real holdings in a single transaction, pulling out at least $7.5 million in ETH and stablecoins.
The attacker did not sit on the stablecoins for long.
Leaving them in that form carried risk since issuers can freeze stablecoin balances. Within minutes, according to Chainalysis, the attacker converted everything into ETH to block any potential freeze.
Where the Stolen Funds Went After the Attack
Chainalysis used its Reactor tool to follow the stolen assets after the exploit.
The attacker split the funds across multiple wallets over the following days. Those transfers eventually fed into Tornado Cash, a mixer that obscures the on-chain trail of funds.
As of the Chainalysis report, no funds have been recovered.
The blockchain analytics firm pointed to two core vulnerabilities that the exploit exposed. First, unrevoked token approvals do not expire.
Every approval a wallet grants to a smart contract stays active until the user manually cancels it. JaredfromSubway.eth had dozens of live approvals pointing at malicious contracts without ever realizing it.
Second, the bot never vetted the contracts it interacted with.
Chainalysis noted that a basic check on Etherscan or a review of the deployment history could have flagged the 66 fake contracts. The bot was built for speed, not verification, and that trade-off cost it $7.5 million.
Leave a Reply
You must be logged in to post a comment.