CoW Swap Says Domain Hijack Led to $1.2M in User Losses

CoW Swap said its April 14, 2026 incident stemmed from a supply-chain compromise of its cow.fi domain, which allowed attackers to seize control of DNS settings and reroute traffic from swap.cow.fi to a phishing site for several hours. According to the project's post-incident report, the attackers abused weaknesses in the .fi domain registration and transfer process using social engineering and forged identification documents. They briefly modified DNS records and served a counterfeit transaction interface designed to lure visitors into connecting wallets and signing malicious transactions. CoW Swap said the breach did not impact CoW Protocol's on-chain smart contracts, backend systems, or the security of user funds held by the protocol. It added that core infrastructure providers including AWS and Vercel were not compromised. The team said it detected abnormal activity and launched its incident response within 19 minutes, migrated operations to cow.finance, and recovered the original domain in about 26 hours. Users affected were mainly those who visited the official site during the hijacking window, with preliminary losses estimated at roughly $1.2 million. CoW Swap said cow.fi has been restored with additional protections, including RegistryLock. The project has commissioned third-party security audits, is pursuing legal action, and is working on potential compensation options for impacted users. It also said the underlying registration vulnerability has been addressed and that it plans to strengthen domain security through governance measures and industry collaboration.