CoW Swap Halts Protocol After Website Compromise

CoW Swap, the Ethereum-based decentralized exchange aggregator, paused its protocol on April 14, 2026, after attackers seized control of its website domain and redirected users to a malicious site engineered to harvest wallet approvals, with cybersecurity researcher Vladimir S. estimating approximately $500,000 in digital assets drained, and at least one user reporting individual losses exceeding $50,000.

The protocol’s underlying smart contracts and backend APIs were confirmed unaffected; the attack surface was the front-end interface alone. We suspect this is less a story about CoW Swap’s specific security posture and more a structural signal about the DeFi industry’s persistent, underweighted exposure to UI-layer infrastructure attacks – a threat vector that smart contract audits do not reach.

DISCOVER: Best crypto to buy right now – CoinSpeaker’s updated guide

CoW Swap Front-End Compromise: DNS Hijacking, Malicious Approvals, and What the Protocol Has Confirmed

The mechanism functions as follows: attackers gained administrative control of CoW Swap’s website domain – the cow.fi address that users navigate to before interacting with the protocol – and redirected that domain to a malicious site designed to mimic the legitimate interface.

Users who visited the site and signed transaction approvals during the window following 14:54 UTC on April 14 were exposed to wallet-draining transfers, without any indication at the domain level that anything was amiss.

Blockchain security firm Blockaid detected and flagged the malicious activity on the cow.fi domain, identifying it as a frontend attack capable of tricking users into signing draining transactions.

CoW Swap’s team confirmed the situation in a public statement: “We are now actively working to resolve the situation. The CoW Protocol backend and APIs were not impacted, but we have paused them temporarily as a precaution.”

MooKeeper, a pseudonymous member of the CoW Swap team, said that the scope of losses remains under active investigation and that a fuller assessment would follow, adding: “We have evidence that a small number of users signed malicious approvals for very small amounts.”

That characterization sits in tension with Vladimir S.’s on-chain estimate of $500,000 drained from multiple addresses – a figure that some reports suggested could approach $1 million within three hours of the attack’s disclosure, though that higher figure has not been independently confirmed.

It is necessary to flag the epistemic status of several details here: the precise total of stolen funds, the identity of the attackers, and the full list of affected wallets remain unconfirmed in public disclosures at the time of writing.

CoW DAO advised all users to revoke any approvals granted to CoW Swap after 14:54 UTC on April 14, recommending tools such as revoke cash for that process. Martin Köppelmann, co-founder and CEO of decentralized infrastructure provider Gnosis, noted that exposure appears limited to users who approved protocol interactions within the few hours the compromised domain was active. Aave separately disabled CoW Swap endpoints for its integrators as a precautionary measure, confirming that Aave’s own interface and protocol were not affected.

EXPLORE: Best meme coins to watch – CoinSpeaker’s updated rankings

next

Disclaimer: Coinspeaker is committed to providing unbiased and transparent reporting. This article aims to deliver accurate and timely information but should not be taken as financial or investment advice. Since market conditions can change rapidly, we encourage you to verify information on your own and consult with a professional before making any decisions based on this content.

Web3 News, Cybersecurity News