CoW Swap Releases Post-Mortem Report on Attack: Domain Hijacked for Several Hours, Approximately $1.2 Million Loss

BlockBeats News, April 17th. According to official sources, the CoW Swap attack incident retrospective report stated that its domain cow.fi experienced a supply chain attack on April 14, 2026. The attacker infiltrated the .fi domain registration process through social engineering and hijacked the DNS resolution, redirecting users to a phishing website when attempting to access the exchange website for several hours. During the breach, the attacker deployed a counterfeit transaction interface and attempted to persuade users to connect their wallets and sign malicious transactions.

The report indicated that this incident did not impact the CoW Protocol's on-chain contracts, backend systems, or user fund security. Core infrastructure such as AWS/Vercel services remained uncompromised. The attack occurred during the domain registration and transfer process, where the attacker gained control through forged identity documents and registration process vulnerabilities, temporarily altering the domain's redirection. The team detected the anomaly within 19 minutes, initiated emergency response, swiftly migrated to another domain, and completed domain recovery in approximately 26 hours.

The CoW team mentioned that the affected users were primarily those who visited the official website during the domain hijack period, with an initial estimated loss of about $1.2 million. cow.fi has now been reactivated with additional security measures like RegistryLock. The team has initiated external security audits, legal actions, and potential user compensation plans. The officials emphasized that the vulnerability has been patched and outlined plans to enhance domain infrastructure security through governance and industry collaboration.