CoW Swap Pauses After DNS Hijack Sends Traders to Fake Phishing Frontend
CoW Swap paused its protocol on April 14, 2026 after attackers hijacked the DNS for swap.cow.fi and redirected users to a malicious phishing frontend. Blockaid issued an early warning around 14:54 UTC, flagging cow.fi as malicious and urging users to stop interacting and revoke token approvals.
The CoW DAO confirmed the incident as DNS hijacking at about 16:24 UTC. It said the underlying CoW Protocol smart contracts were not affected, but it paused backend and API services to fix the domain. For anyone who used the CoW Swap interface after the alert, the DAO recommended revoking approvals via revoke.cash.
Aave also temporarily disabled CoW Swap endpoints for integrators as a precaution. As of publication, CoW DAO had not confirmed full restoration or released a post-mortem, and no confirmed user fund losses were publicly reported.
For traders, this is a near-term UX/counterparty risk event for CoW Swap. Expect short-term volatility and more cautious liquidity behavior until the domain and endpoints are verified safe again. Monitor the “revoke approvals” guidance and any restoration updates closely.
Bearish
This CoW Swap DNS hijack is not a smart-contract failure, but it directly creates trader-facing risk: phishing exposure, potential wallet-approval abuse, and temporary loss of access/liquidity. In the short term, the protocol pause and third-party endpoint shutdowns (e.g., Aave) can reduce routing and execution confidence, which typically pressures the market for the related token COW. Even with no confirmed user fund losses, uncertainty around restoration timing and endpoint verification tends to keep bids conservative.
Over the longer term, if CoW Swap restores services quickly and credibly communicates fixes and monitoring, the impact can fade. However, DNS attacks reinforce a broader DeFi risk premium, so traders may demand better spreads/liquidity terms before treating COW as fully back to normal.