A domain name hijack on CoW Swap's website redirected users to a malicious interface that drained wallets through fake approval prompts, in the latest front-end attack to hit a major DeFi protocol.
CoW Swap, one of the most widely used decentralised exchange aggregators on Ethereum, shut down its front end on Monday after attackers hijacked the protocol's domain name and redirected users to a counterfeit interface designed to drain wallets through malicious token approval prompts.
The attack began at 14:54 UTC on April 14, when the DNS records for cow.fi and its trading subdomain swap.cow.fi were altered to point at an attacker-controlled server. Users who visited the site after that timestamp were presented with what appeared to be the normal CoW Swap interface — same layout, same branding — but with approval requests that, once signed, granted the attacker permission to transfer tokens out of the connected wallet. Web3 security firm Blockaid flagged the domain as malicious shortly after the hijack took effect, triggering warnings in wallets that integrate Blockaid's threat detection layer.
CoW DAO's response was blunt: "We are currently experiencing an issue with the CoW Swap frontend — please DO NOT use CoW Swap." The team emphasised that the protocol's smart contracts, backend systems, and APIs were never compromised; the attack was confined entirely to the DNS layer, which redirected web traffic without touching the on-chain infrastructure. CoW Swap paused its backend and APIs as a precaution while the team worked to regain control of the domain.
The distinction between front-end and protocol-level compromise matters, but it offers cold comfort to anyone who approved a transaction on the fake site. DNS hijacks exploit the weakest link in DeFi's security model — the web interface that most users treat as the protocol itself. The smart contracts can be audited, formally verified, and battle-tested for years, and none of that protects a user who signs a malicious approval because the website they trusted served them a different transaction than the one they expected.
This is not a new attack vector. Curve Finance suffered a nearly identical DNS hijack in 2022, when attackers compromised the protocol's nameserver and redirected curve.fi to a cloned interface that stole roughly $575,000. Badger DAO lost $120 million in 2021 through a front-end compromise that injected malicious approval requests into the genuine interface for weeks before anyone noticed. The pattern is consistent: attackers go around the smart contracts rather than through them, targeting the infrastructure that connects human beings to on-chain code.
Martin Köppelmann, co-founder of Gnosis — the organisation from which CoW Protocol originally spun out — wrote that the attack's impact appeared limited. Users who interacted with CoW Swap before the hijack are not affected; the risk sits entirely with those who approved transactions after 14:54 UTC on Monday. CoW Swap advised affected users to revoke any approvals made during that window using tools such as revoke.cash, which can scan a wallet's outstanding token approvals and cancel them individually.
An international law enforcement operation earlier this month identified 20,000 victims of approval-based phishing across 30 countries — a reminder that malicious approvals are now the dominant method for stealing crypto from individual wallets, having largely replaced the private-key theft and SIM-swap attacks that characterised earlier eras of crypto crime. DNS hijacks are the industrial-scale version of the same technique: instead of phishing one user at a time, the attacker compromises a trusted domain and lets the victims come to them.
The SEC's recent guidance exempting certain DeFi front-ends from broker registration came with 12 conditions — none of which addressed DNS security, domain registrar hardening, or the integrity of the web infrastructure through which users actually access decentralised protocols. Until regulators and protocol teams treat the front end as a first-class security surface rather than an afterthought, incidents like Monday's hijack will keep happening. The contracts are fine. The websites are not.
