CoW Swap, the Ethereum-based decentralized exchange aggregator, temporarily suspended its protocol on April 14, 2026, after attackers took control of its website domain and redirected users to a malicious site designed to obtain wallet approvals, with cybersecurity researcher Vladimir S. Nearly $500,000 worth of digital assets were depleted, and at least one user reported individual losses exceeding $50,000.
The protocol’s core smart contracts and back-end APIs have been confirmed to be unaffected; The attack surface was the front end alone. We suspect that this is not a story about the specific security posture of CoW Swap, but rather a structural signal about the DeFi industry’s ongoing and unwanted exposure to UI layer infrastructure attacks – a threat vector that smart contract audits do not reach.
discovers: The Best Cryptocurrencies You Can Buy Right Now – Updated CoinSpeaker Guide
Cowswap front-end settlement: DNS hijacking, malicious consents, and what the protocol has confirmed
The mechanism works as follows: Attackers gained administrative control over CoW Swap’s website domain – the Cow.fi address that users go to before interacting with the protocol – and redirected this domain to a malicious site designed to mimic the legitimate interface.
Users who visited the site and signed transaction approvals during the next window at 14:54 UTC on April 14 experienced wallet-draining transfers, with no domain-wide indication that anything was wrong.
Update: The Swap dot Cow dot fi domain is currently locked and cannot be accessed. We’re working with security experts to assert control over the domain while it’s locked, but we *don’t* expect it to be up and running again tonight.
For those who rely on CoW Swap daily, we have prepared… https://t.co/gtoeMfxYEy
– Cow Dow (@CoWSwap) April 14, 2026
Blockchain security firm Blockaid detected and flagged malicious activity on the Cow.fi domain, identifying it as a front-end attack capable of tricking users into signing drain transactions.
The CoW Swap team confirmed the situation in a public statement: “We are now actively working to resolve the situation. The CoW protocol backend and APIs are not affected, but we have paused them as a precaution.”
MooKeeper, a pseudonymous member of the CoW Swap team, said the scope of the losses was still under active investigation and a fuller assessment would follow, adding: “We have evidence that a small number of users signed malicious consents for very small amounts.”
This characterization contradicts the estimates of Vladimir S. On the chain $500,000 was drained from multiple addresses – a number that some reports suggested could have been close to $1 million within three hours of the attack being disclosed, though that higher number has not been independently confirmed.
It is necessary to note the epistemological status of many details here: the exact total of stolen funds, the identity of the attackers, and the full list of affected wallets remain unconfirmed in public disclosures at the time of writing.
The CoW Swap front end has been brought back to https://t.co/428UojJIdq.
Make sure to only sign approvals at 0xc92e8bdf79f0507f65a392b0ab4667716bfe0110 (original GPv2VaultRelayer contract) https://t.co/phQqIbzPAR
– Felix Leupold (@fleupold_) April 14, 2026
The CoW DAO advised all users to revoke any consents given to CoW Swap after 14:54 UTC on 14 April, recommending tools such as demonetisation for this process. Martin Kopelmann, co-founder and CEO of decentralized infrastructure provider Gnosis, noted that exposure appeared to be limited to users who agreed to protocol interactions during the few hours that the compromised domain was active. Aave has separately disabled CoW Swap endpoints for its integrators as a precaution, confirming that Aave’s proprietary interface and protocol were not affected.
explores: Best meme coins to watch – updated CoinSpeaker rankings
Disclaimer: Coinspeaker is committed to providing unbiased and transparent reporting. This article aims to provide accurate and timely information but should not be considered financial or investment advice. Since market conditions can change rapidly, we encourage you to verify the information yourself and consult with a professional before making any decisions based on this content.
Daniel Francis is a technical writer and Web3 educator specializing in macroeconomics and DeFi mechanics. A crypto native since 2017, Daniel brings his background in cross-chain analytics to author evidence-based reports and detailed guides. It is certified by the Blockchain Council and is dedicated to providing “information gain” that cuts through the market noise to find blockchain’s real-world utility.
