CoW Swap suffers DNS hijacking attack! Estimated user losses reach millions of dollars, official: do not use the front-end webpage

Decentralized trading aggregator CoW Swap was targeted by a DNS hijacking attack yesterday (4/14), where hackers altered the domain name system to redirect users to a fake malicious webpage to steal wallet authorization.

Frontend interface suddenly compromised by DNS hijacking, Blockaid issues community alert first

Decentralized trading aggregator CoW Swap experienced a serious cybersecurity incident yesterday (4/14), with its official website frontend being hijacked through a DNS attack. According to blockchain security firm Blockaid’s monitoring report, the attack began around 14:54 UTC that day. The attacker manipulated DNS records to redirect users visiting the official site swap.cow.fi to a counterfeit malicious webpage.

The fake page closely resembles the real interface, with the main goal of tricking users into connecting their wallets and signing malicious authorization contracts to steal assets. Blockaid promptly issued an emergency community alert on social platform X, stating that cow.fi has been marked as a malicious site, strongly advising all users to immediately cease any interaction with the platform.

Image source: X/@blockaid_ Blockaid issues emergency community alert on social platform X, indicating cow.fi has been marked as a malicious website

In response to this sudden security breach, the CoW Swap official team and its underlying decentralized autonomous organization (DAO) quickly reacted. The team admits that the frontend interface indeed has security risks and urges users not to use the platform until official confirmation of safety. The attack directly targeted the frontend layer, but CoW Swap emphasizes that its underlying protocol, backend systems, and APIs remain unaffected. To ensure the safety of remaining user assets and prevent further escalation, the team has taken precautionary measures by temporarily suspending backend operations and API services.

Image source: X/@CoWSwap CoW DAO acknowledges frontend security risks and urges users to refrain from using the platform until official safety confirmation

Currently, the technical team is working tirelessly to regain control of the affected domain. Developers call on users to stay tuned to official channels and remain highly cautious of the webpage until a final safety confirmation is announced.

Initial estimates suggest millions in funds may have been lost, COW token drops in response

As the incident continues to unfold, affected data is gradually surfacing. Cybersecurity researcher Vladimir S. and multiple on-chain analysis sources indicate that within hours after the attack, several addresses had their funds drained. The total estimated loss is between $500k and $1 million. Among known victims, one trader’s wallet was hit hardest, with up to 219 ETH assets seized and transferred by hackers.

The CoW Swap team states that only a small number of users signed malicious authorizations, and some cases involved relatively small amounts. However, many users on the official Discord channel are lamenting their losses, with some claiming to have lost over $50k in savings, expressing despair over their assets being wiped out overnight.

The cybersecurity crisis has also impacted CoW Protocol’s native token $COW , which faced selling pressure. Market data shows that following the news, COW’s price dropped over 3% in a short period, from about 0.2229 to around 0.2159. The market’s volatile sentiment reflects investor concerns over the protocol’s frontend security defenses.

Although CoW Swap is renowned in DeFi for its robust transaction routing and defenses against maximum extractable value (MEV) attacks, this domain security lapse has temporarily damaged its brand trust. Investors are closely watching the official response and progress in restoring domain control. The incident also prompts the community to reconsider the security boundaries of highly Web2-dependent entry points in a decentralized world.

Phishing tactics proliferate, hacker losses near $500 million in Q1

The CoW Swap incident highlights the broader security challenges faced by the Web3 industry. According to the latest report from blockchain security firm Hacken, in Q1 2026 alone, losses from hacks and scams across Web3 projects reached $482 million. Of 44 documented security incidents, most stemmed from phishing and social engineering attacks.

DNS hijacking, due to its high concealment, is a favored attack method among hackers. Users see the correct official website URL in their browser address bar, making them more likely to trust and sign transactions. This type of attack targets user behavior rather than code-level vulnerabilities. Hackers exploit this psychological weakness to redirect traffic to malicious servers.

Looking back over recent years, several well-known DeFi protocols have suffered DNS attacks. Balancer was targeted in 2023, and Curve Finance has been repeatedly hit by DNS hijacking.

Security experts emphasize that users should develop the habit of regularly reviewing and revoking permissions for their crypto wallets.

Regarding the CoW Swap incident, official and third-party security agencies strongly recommend that any users who interacted with the platform after the attack began should immediately revoke permissions using tools like Revoke.cash. Revoking permissions only prevents future asset transfers but cannot recover already lost funds. For crypto users, accessing websites via bookmarks and keeping software updated are essential risk mitigation measures. Community members should remind each other to avoid signing any wallet confirmation requests without verified safety.

Even prominent protocols are not immune to security tests; the official team has temporarily suspended backend operations

Since its inception, CoW Swap has been a star project in DeFi. Ethereum founder Vitalik Buterin is a dedicated user, having processed large transactions on the platform multiple times. He once exchanged $6.1 million worth of 3,100 ETH for stablecoins and used it for various niche token trades. The protocol’s batch auction mechanism and competitive solver network provide users with optimal execution prices and defend against MEV bot front-running.

However, this frontend attack again proves that no matter how secure the core protocol logic is, domain management remains a weak link in infrastructure. Such attacks directly target user devices and transaction behaviors, and code-level security cannot fully prevent external hijacking.

The CoW Swap team is now focused on remediation. The official promise is to release a comprehensive incident report and damage compensation plan later. This incident has also sparked in-depth discussions about the responsibility of DeFi platforms in security defense. While pursuing decentralization and efficiency, strengthening Web2-level defenses has become an urgent priority for all DAO organizations.

Developers should consider adopting more secure new technologies, such as multi-signature domain management or decentralized domain services. Until an official security confirmation is issued, users should avoid the compromised webpage and seek alternative trading tools. Maintaining asset security depends primarily on constant vigilance against any anomalies. For the entire industry, this is a profound lesson on security boundaries and a sign that future cybersecurity defenses will evolve toward comprehensive multi-layered protection.