USDCoW Swap DNS Hijack Prompts Frontend Shutdown Warning
Protocol pauses systems as users told to avoid compromised website
TL;DR
- CoW Swap said on April 14, 2026 its frontend was hit by a DNS hijacking and warned users not to use it.
- CoW Swap said smart contracts were not compromised, while backend systems and APIs were paused as a precaution.
- Decrypt reported about $500,000 drained, while CoW team member MooKeeper described impacts as limited.
We’ve launched the all-new COIN360 Perp DEX, built for traders who move fast!
Trade 130+ assets with up to 100× leverage, enjoy instant order placement and low-slippage swaps, and earn USDC passive yield while climbing the leaderboard. Your trades deserve more than speed — they deserve mastery.
CoW Swap said on April 14, 2026 that its swap.cow.fi frontend had been hit by a DNS hijacking attack and urged users not to access the site while the issue was under investigation. The latest confirmed status said the exploit was still ongoing at the time, while CoW Swap said its smart contracts were not compromised and backend systems and APIs were paused as a precaution.
The incident first emerged as a frontend security alert after Blockaid said its dApp scanning engine detected suspicious behavior and flagged the site as malicious. Blockaid said, “Blockaid's system has identified a front-end attack on @CoWSwap,” and added, “The site cow[.]fi has been flagged as malicious.” CoW Swap issued a parallel warning, stating, “We are currently experiencing an issue with the CoW Swap frontend (https://swap.cow.fi). While we are investigating, please DO NOT use CoW Swap.”
DNS hijack identified as attack vector
CoW Swap later described the issue as a “DNS [Domain Name System] hijacking,” indicating the attack targeted the domain used to access the service rather than its underlying protocol. The method allowed a malicious interface to present transactions that appeared legitimate, potentially tricking users into approving harmful wallet interactions. In its updated guidance, CoW Swap said, “Please continue to refrain from using swap dot cow dot fi until we confirm that it is safe to use.”
User instructions became more specific as the situation developed. CoW Swap told users to revoke all approvals made on the platform after 14:54 UTC on April 14, 2026. Blockaid separately advised anyone with a connected wallet to revoke approvals immediately and avoid any interaction with the application during the incident.
Cybersecurity researcher Vladimir S. said about $500,000 in digital assets had been “drained from a few addresses so far.” CoW team member MooKeeper provided a narrower assessment, saying the team had evidence that “a small number of users signed malicious approvals for very small amounts.”
A Discord user cited in the coverage described a direct loss tied to the exploit, saying more than $50,000 had been taken. The user wrote, “I don't know what to do anymore… I have no money at all.”
Systems paused while investigation continues
CoW Swap said its smart contracts were not reported as compromised, distinguishing the incident from protocol-level failures. The latest confirmed status also said backend systems and APIs were not directly impacted, though both were paused temporarily as a precaution while the investigation continued.
The incident is said to be part of a broader pattern of frontend and DNS-based attacks across decentralized finance platforms, where attackers target user-facing infrastructure instead of smart contracts. Balancer and Curve Finance were cited as examples of previous domain-related attacks.
The coverage also noted CoW Swap’s visibility within Ethereum usage. Vitalik Buterin was identified as a user of the protocol, and Decrypt said on-chain analytics showed he had interacted with it as recently as a week before the compromise became public.
The market reaction was limited but measurable. The COW token was reported at about $0.22 with a market capitalization of nearly $120 million, falling more than 3% to $0.2159 from $0.2229 after news of the hijacking spread.
FAQ
What happened to CoW Swap?
CoW Swap said swap.cow.fi was hit by a DNS hijacking attack.
Were CoW Swap smart contracts compromised?
CoW Swap said the smart contracts were not reported as compromised.
What did users need to do?
Users were told not to use the site and to revoke recent approvals.
Was money reported lost?
$500,000 estimate, and one user said they lost more than $50,000.
This article has been refined and enhanced by ChatGPT.
