CoW Swap, a popular DeFi DEX aggregator on Cow Protocol, experienced a frontend compromise via DNS hijacking. Blockchain security firm Blockaid first flagged the main domain as malicious around 14:54 UTC, detecting suspicious activity consistent with a frontend attack.
The CoW DAO quickly confirmed the issue, paused the protocol’s backend and APIs as a precaution, and urged users to avoid the site entirely while they investigated. Attackers hijacked the DNS records, redirecting traffic from the legitimate CoW Swap frontend to a malicious page that mimicked the real interface.
This is a classic frontend and DNS hijack not a smart contract exploit. The on-chain Cow Protocol contracts and settlement logic remained secure and uncompromised. The fake frontend could trick users into signing malicious transactions that drain wallets, even though the underlying protocol was fine. Such attacks exploit trust in the familiar UI.
Register for Tekedia Mini-MBA edition 20 (June 8 – Sept 5, 2026).
Register for Tekedia AI in Business Masterclass.
Join Tekedia Capital Syndicate and co-invest in great global startups.
Register for Tekedia AI Lab.
Reports indicate some funds were stolen shortly after the hijack estimates around $1M in early reports, including one case of 219 ETH from a single wallet, though exact totals vary and the incident is still unfolding. The primary domain was locked and remained inaccessible into day two.
CoW Swap deployed a temporary safe UI instance at an alternative URL. Use only official channels to verify any new links—scammers are likely impersonating them. The team is working with security experts to regain control. They do not expect the original domain to return quickly. Do not visit cow.fi, swap.cow.fi, or any CoW Swap links unless confirmed safe via official updates.
Revoke any token approvals granted to CoW Swap contracts especially after ~14:54 UTC on April 14. Use tools like: revoke.cash. Or built-in wallet approval managers. If you connected your wallet or signed anything during the incident window, consider moving remaining funds to a fresh wallet as an extra precaution. Treat any unexpected transaction prompts as suspicious.
This highlights a growing trend in 2026: frontend and infrastructure attacks (DNS, domain, UI compromises) are becoming more common than pure smart contract bugs, as protocols harden on-chain code but web-facing layers remain vulnerable.
CoW Swap is one of the leading DEX aggregators using solver competition for better execution and user protection via CoW Protocol, so the pause affects trading volume temporarily, but the core protocol itself was not drained or exploited at the contract level.
Other platforms like Aave confirmed no direct impact on their liquidity. Stay safe: Always verify URLs, use hardware wallets where possible, limit approvals, and monitor official CoW Swap communications for recovery updates. If you’re a user who interacted recently, prioritize revoking approvals right away.
Anyone who visited swap.cow.fi after ~14:54 UTC on April 14 and signed transactions especially approvals and permits may have had funds drained via malicious prompts. Early estimates suggested losses around $500k–$1M, including isolated cases like 219 ETH from one wallet, though exact totals remain unconfirmed and not systemic.
Revoke all CoW Swap-related token approvals granted in that window using tools like revoke.cash. Consider moving remaining assets to a new wallet if you interacted. No on-chain compromise: Smart contracts, settlement logic, and core infrastructure stayed secure. The attack was limited to the web frontend.