An attacker drained the well-known Ethereum trading bot JaredFromSubway by patiently baiting it into a trap rather than exploiting a software bug. Over several weeks, the attacker deployed 66 fake token contracts and sham liquidity pools mimicking WETH, USDC, and USDT, structured so the bot's automated logic treated them as profitable opportunities and granted token-spending approvals to attacker-controlled contracts. Later trades left those approvals active, and a single transaction then swept the bot's real funds. Security firms estimate the loss near $7.5 million, while the operator claims around $15 million. It is a reminder that standing token approvals in automated systems are dangerous even when the underlying contracts are sound.
On-chain investigator ZachXBT flagged a coordinated exploit against THORChain's cross-chain liquidity pools on May 15, 2026, with PeckShield confirming losses of approximately $10.8 million across four blockchains - around 36.85 BTC plus $7 million in assets from Ethereum, BNB Chain, and Base. The attacker funneled funds into two main addresses (BTC bc1ql4u94klk265lnfur2ujk9p6uh52f2a8jhf6f37 and ETH 0xd477b69551f49C0519F9B18c55030676138890Bd). THORChain responded with a global emergency halt of trading and signing - a controversial move given the protocol's permissionless positioning. No official post-mortem has been released. The RUNE token dropped 12-14% on the news; the same protocol was previously used by North Korean operators to launder $175 million.