CoW Swap Confirms Domain Hijack; Losses Estimated at $1.2M

BlockBeats reports that CoW Swap has published a post-incident review of a domain hijacking affecting cow.fi. The team said the .fi domain was hit by a supply-chain attack on April 14, 2026, when attackers used social engineering to compromise the .fi domain registration process and take over DNS resolution. As a result, users who visited swap.cow.fi were redirected to a phishing site. During the hijack window, the attackers served a spoofed transaction interface designed to prompt users to connect wallets and sign malicious transactions. CoW Protocol said its onchain contracts, backend systems, and overall user fund security were not breached, and core providers and infrastructure including AWS and Vercel were not compromised. According to the review, the intrusion occurred during the domain registration and transfer workflow. The attacker gained control by submitting forged identification documents and exploiting weaknesses in the registrar's process, briefly changing the domain's routing. CoW said it detected the abnormal activity and began emergency response within 19 minutes, moved operations to cow.finance, and recovered the original domain in about 26 hours. The team said the impacted users were primarily those who accessed the official site during the hijacking period, with preliminary losses estimated at roughly $1.2 million. The cow.fi domain has since been restored and additional protections, including RegistryLock, have been implemented. CoW added that it has launched an external security audit, is pursuing legal action, and is working on a potential user compensation plan. The team said the issue has been remediated and it plans to further strengthen domain infrastructure security through governance measures and industry collaboration.