CoW Swap temporarily suspended its protocol on April 14, 2026 after attackers compromised the DNS settings for swap.cow.fi, redirecting visitors to a malicious phishing site. The hijacking began at approximately 14:54 UTC, with on-chain security firm Blockaid issuing the first public warning, flagging cow.fi as malicious and urging users who had connected a wallet to revoke approvals and avoid any interactions with the dApp immediately.
CoW DAO confirmed the attack in a follow-up post at roughly 16:24 UTC, identifying the incident as a DNS hijacking. The team said the underlying CoW Protocol smart contracts were unaffected, but paused the backend and APIs as a precaution while working to resolve the domain. Users who interacted with the frontend after 14:54 UTC were advised to revoke any token approvals using revoke.cash.
This story is an excerpt from the Unchained Daily newsletter.
Subscribe here to get these updates in your email for free
Aave acknowledged the situation and confirmed it had temporarily disabled CoW Swap endpoints for its integrators as a precaution. The incident is part of a broader pattern of frontend and DNS attacks targeting DeFi protocols. In recent months, Blockaid has flagged similar attacks on tokenization platform OpenEden, lending protocol Curvance, and asset manager Maple Finance.
DNS hijacking typically exploits registrar-level weaknesses, such as compromised credentials or social engineering, rather than any flaw in smart contract code. As of publication, CoW DAO had not confirmed full restoration or released a post-mortem. No confirmed user fund losses had been publicly reported.
Disclaimer: The information on this page may come from third parties and does not represent the views or opinions of Gate. The content displayed on this page is for reference only and does not constitute any financial, investment, or legal advice. Gate does not guarantee the accuracy or completeness of the information and shall not be liable for any losses arising from the use of this information. Virtual asset investments carry high risks and are subject to significant price volatility. You may lose all of your invested principal. Please fully understand the relevant risks and make prudent decisions based on your own financial situation and risk tolerance. For details, please refer to
Disclaimer.
Related Articles
Zondacrypto Exchange Faces Allegations of Misappropriating $350 Million, CEO Publicly Denies
One of Poland’s largest cryptocurrency exchanges, Zondacrypto, announced on April 16 via social media that its CEO, Przemysław Kral, said the exchange could not access a wallet holding 4,503 bitcoins, worth more than $350 million in current value. Kral published the address of the wallet in question to rebut allegations of misappropriation, but this disclosure immediately triggered a large-scale withdrawal.
MarketWhisper1h ago
Bitwarden CLI malicious npm package exposed, encrypted wallets face risk of theft
Misty Fog Chief Information Security Officer 23pds forwards a warning from the Bitwarden security team. The Bitwarden CLI 2026.4.0 version had an npm version that had been tampered with—where a malicious package was distributed through npm—within a 1.5-hour window from 5:57 PM to 7:30 PM Eastern Time on April 22, and that version has been withdrawn. Bitwarden has officially confirmed that password vault data and production systems were not affected.
MarketWhisper1h ago
JPMorgan Chase: KelpDAO bug wipes out $20 billion in DeFi TVL, institutional appeal damaged
A J.P. Morgan research team led by analyst Nikolaos Panigirtzoglou released a report on April 23 stating that persistent security vulnerabilities and stagnant total locked value (TVL) are weakening DeFi’s appeal to institutional investors. The report emphasized that the KelpDAO vulnerability wiped out roughly $20 billion worth of DeFi TVL within days, exposing structural risks.
MarketWhisper1h ago
Slow Mist Alert: North Korean hacker group recruits and tricks Web3 developers, stealing 12 million in 3 months
SlowMist, a security organization, has issued an emergency alert. North Korea’s Lazarus organization’s subsidiary, HexagonalRodent, is launching attacks against Web3 developers, using social engineering tactics such as high-paying remote positions to lure developers into executing skill assessment code that includes malicious software backdoors, ultimately stealing crypto assets. According to an Expel investigation report, in the first three months of 2026, the loss amount reached $12 million.
MarketWhisper1h ago
CoW DAO proposes compensation for victims of the cow.fi domain hijacking, with up to 100% reimbursement of losses
CoW DAO on April 23 published a compensation proposal (CIP) in the governance forum, proposing the establishment of a discretionary grant program to provide eligible victims of the April 14 cow.fi domain hijacking incident with up to 100% loss reimbursement. The incident is estimated to have caused user losses of about US$1.2 million in USDC. CoW DAO emphasized that the compensation is of a voluntary, special-discretionary nature and does not represent an admission of any legal liability.
MarketWhisper2h ago
CryptoQuant: KelpDAO Exploit Triggers the Most Severe Crisis Since 2024, Aave TVL Plunges 33%
According to CryptoQuant’s assessment on April 23, the KelpDAO exploit attack that occurred last week created potential bad debt risk for Aave of $124 million to $230 million within 72 hours, with TVL crashing 33%. USDT and USDC borrowing rates jumped from 3.4% to 14%, and ETH borrowing rates rose to the highest level since January 2024 at 8%.
MarketWhisper2h ago
