CoW Swap DNS hijack drains $1M, users told to revoke access

CoW Swap reported a DNS hijack on April 14, 2026, at 14:54 UTC that redirected traffic intended for swap.cow.fi to a malicious frontend. The protocol paused its routing app and told users to stop trading and revoke any wallet permissions granted through the site.

The incident lasted roughly 90 minutes, according to the project team. CoW DAO posted that the backend and APIs were not impacted but were paused “temporarily as a precaution,” and added, “We are now actively working to resolve the situation.”

Within about three hours of the attack being detected, attackers drained roughly $1 million from wallets that connected to the compromised frontend. One flagged address intercepted 219 ETH from a single trader’s wallet. CoW Swap said the total loss may rise as more affected wallets are identified.

A DNS hijack redirects a legitimate domain to a server controlled by attackers. In this case, users who loaded swap.cow.fi could have seen a page that requested wallet approvals, asked for copy-pasted seed phrases, or prompted transaction signatures that moved funds. Because the domain appeared correct in browsers, users might not have recognized the frontend as fraudulent even though CoW Swap’s smart contracts and APIs were not directly breached.

The protocol advised users to revoke any approvals granted via the compromised site and to disconnect unknown wallet connections. Tools such as Revoke Cash let wallet owners inspect and cancel token approvals and third-party permissions. CoW Swap recommended that anyone who used the site recently treat their wallet as potentially compromised until they can confirm otherwise.

CoW Swap is a DEX routing protocol active across multiple EVM-compatible chains, including Ethereum, Gnosis, Arbitrum, Base, Polygon, Avalanche and Lens Network, and has seen more activity on BNB Chain in recent months. The router handled about $3.8 billion in trading volume in March and roughly $1.22 billion so far in April, with weekly volumes near $700 million.

Security teams and analysts noted the incident follows a string of recent Web3 breaches and urged projects to strengthen domain and DNS security. Market observers flagged a growing number of automated attacks that target infrastructure such as domain records, and they emphasized immediate steps for users to secure wallets and revoke exposed permissions.