Tracking Ethereum blockchain attackers: Measuring sandwich attacks
When blockchain users want to execute a transaction, they need a miner to include it into the blockchain. In order to do so, the most common approach is to send the transaction to the mempool, which is a public and temporary list of transactions waiting to be mined. Miners have an incentive to include new transactions into the blockchain (i.e. mine transactions) because they earn profit by charging fees during the process. Thus, they have an incentive to monitor this mempool and process as many transactions as they can.
Short answer: the most profitable ones. Each user can define how much of a fee he is willing to pay to miners. The higher the fee, the quicker your transaction will be picked and processed by a miner.
Attackers are constantly monitoring transactions sent to the mempool. They anticipate the inclusion of these transactions into the blockchain, and react in advance, earning profit if certain conditions are met. This is what it is called frontrunning attack.
A front running attack takes advantage of users who submit a transaction but are still waiting for it to be included into the blockchain. An attacker will simulate the result of those transactions in advance, before they are executed, and exploit this information by executing himself a crafted transaction first that will provide him profit.
