TechFlow reports that, according to an official post-mortem report on the CoW Swap security incident released on April 17, the domain cow.fi was compromised via a supply-chain attack on April 14, 2026. Attackers exploited social engineering techniques to infiltrate the .fi domain registration process and hijack DNS resolution, causing users attempting to access swap.cow.fi to be redirected to a phishing site for several hours. During this period, attackers deployed counterfeit trading interfaces and attempted to trick users into connecting their wallets and signing malicious transactions.
The report states that this incident did not impact CoW Protocol’s on-chain smart contracts, backend systems, or user funds. Core infrastructure—including services hosted on AWS and Vercel—remained uncompromised. The attack occurred exclusively during the domain registration and transfer process: attackers gained control by forging identity documents and exploiting vulnerabilities in the registration workflow, briefly modifying the domain’s DNS records. The team detected the anomaly within 19 minutes and initiated emergency response procedures; they subsequently migrated to cow.finance and fully restored the cow.fi domain within approximately 26 hours.
CoW stated that affected users were primarily those who visited the official website during the domain hijacking window. Preliminary estimates place losses at around $1.2 million. The cow.fi domain has since been reactivated with enhanced security measures—including RegistryLock—and the team has launched external security audits, legal proceedings against the perpetrators, and is developing potential compensation plans for impacted users. The official statement emphasizes that the vulnerability has been patched and outlines plans to improve domain infrastructure security through governance proposals and industry collaboration.
