CoW Swap Hit by DNS Attack, Users Urged to Stay Away Amid Ongoing Exploit
Cow DAO paused all protocol services after attackers hijacked the DNS records for swap.cow.fi at 14:54 UTC on April 14, redirecting users to a wallet-draining frontend.
At least US$1 million (AU$1.45 million) in funds was stolen within three hours, including 219 ETH intercepted from a single trader’s wallet.
Smart contracts and on-chain infrastructure were not compromised, but the protocol remained offline as Cow DAO investigated and urged users to revoke approvals via revoke.cash.

CoW Swap paused its protocol on April 14 after attackers hijacked the DNS records of its frontend, redirecting users to a malicious site that drained at least US$1 million (AU$1.45 million) in crypto assets.

The exploit was detected at 14:54 UTC, with Cow DAO issuing a public warning at 15:41 UTC and confirming the DNS compromise at 16:24 UTC. The team halted the protocol shortly after, although backend systems and smart contracts were not directly affected.

UPDATE: CoW Swap experienced a DNS hijacking at 14:54 UTC (approximately 90 minutes ago).

The CoW Protocol backend and APIs were not impacted, but we have paused them temporarily as a precaution.

We are now actively working to resolve the situation. Please continue to…

— CoW DAO (@CoWSwap) April 14, 2026

The attack targeted the domain swap.cow.fi at the registrar level, redirecting traffic to a cloned interface designed to trick users into connecting wallets and approving transactions. CoW Swap operates as a non-custodial protocol, meaning funds remained in user wallets and no contract-level breach occurred.

On-chain data shows at least US$1 million (AU$1.45 million) was extracted within three hours. One flagged address alone received 219 ETH from a single wallet. The total impact remains uncertain, however.

Read more: Quantum Threat to Crypto? XRP Ledger Shows Surprising Resilience

Losses and User Response

Cow DAO instructed affected users at 16:33 UTC to revoke all token approvals using revoke.cash. 

Security firm Blockaid flagged the malicious domains, including swap.cow.fi and cow.fi, during the incident. The team continued monitoring activity until around 18:15 UTC and requested transaction hashes from potentially impacted users.

Similar exploits have affected platforms such as Curve Finance and Balancer.

CoW Swap, part of the Gnosis ecosystem, processes trades using batch auctions and “Coincidence of Wants” matching, a system that pairs users directly to reduce reliance on external liquidity and limit MEV (maximum extractable value). 

The protocol remained offline at the time of reporting, with no confirmed timeline for restoration or post-incident analysis released.

Read more: Aave DAO Approves $25M Grant Despite Internal Pushback

The post CoW Swap Hit by DNS Attack, Users Urged to Stay Away Amid Ongoing Exploit appeared first on Crypto News Australia.

Leave a Reply

Your email address will not be published. Required fields are marked *

Filed under: Bitcoin - @ April 15, 2026 4:20 am