BlockBeats report: On April 17, according to official information, the post-incident review of the CoW Swap attack revealed that its domain cow.fi was subjected to a supply chain attack on April 14, 2026. Attackers compromised the .fi domain registration process via social engineering and hijacked DNS resolution, causing users to be redirected to a phishing site when accessing swap.cow.fi. During the incident, the attackers deployed a forged transaction interface and attempted to trick users into connecting their wallets and signing malicious transactions.
The report confirms that the incident did not affect the on-chain contracts, backend systems, or user fund security of CoW Protocol; the core infrastructure and services such as AWS and Vercel were not compromised. The attack occurred during the domain registration and transfer process, where the attacker gained control by submitting forged identification documents and exploiting vulnerabilities in the registration workflow, briefly altering the domain's redirection. The team identified the anomaly and initiated an emergency response within 19 minutes, subsequently migrating to cow.finance and completing domain recovery within approximately 26 hours.
The CoW team stated that affected users were primarily those who visited the official website during the domain hijacking period, with initial estimates of losses totaling approximately $1.2 million. The cow.fi domain has now been restored, with additional security measures such as RegistryLock implemented. The team has also initiated an external security audit, legal action, and is developing a potential user compensation plan. The official team emphasized that the vulnerability has been patched and plans to enhance the security of domain infrastructure through governance and industry collaboration.