An Ethereum MEV operator known as Jaredfromsubway had $7.5 million in crypto stolen this week — and the attacker taunted him first. A wallet using the lookalike ENS name 'MetaMask.eth' (capital M and capital M) sent an on-chain message mocking Jared, making it look like the wallet provider itself was behind the theft. It wasn't. The impersonator had registered the capitalized version of MetaMask's official ENS handle, exploiting a display-layer weakness that hides the difference from most users.
The ENS Display-Layer Vulnerability
ENS names follow a normalization standard that converts uppercase to lowercase for display. That means 'MetaMask.eth' and 'metamask.eth' look identical on most platforms — wallets, explorers, dApps — even though they're different on-chain registrations. The real MetaMask controls 'metamask.eth'. The impersonator controlled 'MetaMask.eth', which resolves to a completely different address. Anyone checking the ENS name in a hurry would see the same string of letters. This isn't a new bug, but it's one that keeps tripping up DeFi users.
$5.1M Hits Tornado Cash
The attacker didn't sit on the haul. On-chain data shows $5.1 million of the stolen $7.5 million was moved to Tornado Cash in 20 separate transactions, each of 100 ETH. The remaining 1,422 ETH was swapped for $2.44 million in DAI. Moving funds through a mixer like Tornado Cash makes them harder to trace — a clear sign the attacker never intended to return the money.
White Hat Offer Rejected
Jaredfromsubway tried the standard DeFi resolution: a white hat deal. He offered the attacker a 50% bounty with a 48-hour deadline and threatened legal action if the funds weren't returned. The impersonator dismissed the threat outright, arguing a lawsuit wouldn't hold up in court. The deadline has come and gone. No funds were returned. The attacker instead kept moving money, and there's been no sign of negotiation since.
For Jaredfromsubway, the options are narrowing. The stolen crypto is largely laundered. The impersonator is anonymous, likely unreachable. And the legal threat — while real — would require identifying the person behind the wallet, a tall order when the trail leads straight to a mixer. The incident is a stark reminder that even careful DeFi operators can be caught by something as simple as a capital letter.
