This is a blog post - I think this is relevant to domain name holders, hope you guys find it educational.
On April 14, 2026, at 14:54 UTC, attackers hijacked the DNS records for swap.cow.fi, redirecting every visitor to Ethereum's leading DEX aggregator to a phishing site designed to drain connected wallets. The CoW DAO team did not issue their first public warning until 15:41 UTC, roughly 47 minutes after the hijack began. A follow up confirmation that it was indeed a DNS hijacking came at approximately 16:24 UTC, over 90 minutes into the attack.
Within three hours, the compromised frontend had facilitated approximately $1 million in stolen funds, with one wallet alone losing 219 ETH. Other estimates place confirmed losses at around $500,000, with at least one user reporting individual losses exceeding $50,000.
This was not a smart contract exploit. The protocol's backend, APIs, and on chain contracts were never compromised. The entire attack surface was the DNS layer: the system that translates swap.cow.fi into an IP address. By changing where that domain pointed, the attackers replaced a legitimate trading interface with a wallet draining clone, and users had no visible indication that anything was wrong.
14:54 UTC: DNS records for swap.cow.fi are modified, redirecting the domain to attacker controlled infrastructure hosting a phishing frontend. Users visiting the site see what appears to be the normal CoW Swap interface. Any wallet connection or transaction approval routes through the malicious site, giving attackers the ability to request token approvals that drain connected wallets.
~15:41 UTC (47 minutes later): CoW DAO posts on X warning users of "an issue with the CoW Swap frontend" and advising users not to interact with the site. At this point, the team is still investigating and has not yet confirmed the root cause.
~15:55 UTC: Web3 security firm Blockaid flags the cow.fi domain as malicious and begins blocking it through its phishing detection service. MetaMask also blocks access to the domain for users with the extension installed.
~16:24 UTC (90 minutes after hijack): CoW DAO confirms the incident was a DNS hijacking. Backend and APIs are paused as a precaution. Users are told to revoke all approvals made after 14:54 UTC using tools like revoke.cash.
Later that evening: The swap.cow.fi domain is locked by the registrar, taking it offline entirely. CoW DAO confirms the domain will not be live again that night and spins up an alternative endpoint for users who rely on the platform daily.
The critical window was those first 47 minutes. From 14:54 to ~15:41 UTC, users had no warning. Every trader who visited swap.cow.fi during that window, connected a wallet, and approved a transaction was exposed to the drainer. CoW Swap processes roughly $700 million in weekly volume, making even a brief window of undetected compromise extremely high value for attackers.
The phishing site hosted at that IP is a pixel perfect clone of the real interface. From the user's perspective, nothing looks wrong. The URL is correct. The interface is familiar. The only difference is that transaction requests are routed through malicious smart contracts that request broad token approvals, allowing the attacker to transfer assets out of the connected wallet.
This is the fundamental vulnerability that CoinDesk described as "a persistent weak point in decentralized finance": the entire security model of a non custodial protocol collapses if the frontend serving that protocol is controlled by an attacker. Smart contract audits, formal verification, and on chain security are all irrelevant when the user never reaches the real contract in the first place.
CoW Swap is not an isolated case. Curve Finance was hit by DNS hijacking in May 2025 and previously in August 2022, losing over $570,000 in the earlier incident. After the 2025 attack, Curve migrated its entire domain from curve.fi to curve.finance due to the registrar's slow response time. HypurrFi and BONKfun experienced similar frontend takeovers in early 2026. According to Hacken, Web3 projects lost $482 million to hacks and scams in Q1 2026 alone, with the majority tied to phishing and social engineering rather than smart contract exploits.
Here is how DNS Assistant would have changed the timeline.
On an aggressive monitoring interval (as low as 5 minutes depending on plan tier), the alert would have fired within minutes of the DNS change at 14:54 UTC, not 47 minutes later when a human discovered the problem.
As REKT documented in their analysis of Curve Finance's 2022 DNS hijacking: "For users, DeFi protocols are only as secure as their centrally hosted front end." That observation was made in 2022 and remains accurate in 2026.
The solution is not to abandon web based frontends. It is to monitor the DNS layer with the same rigor that the industry applies to smart contracts. This means continuous record monitoring with sub-minute detection windows, multi-channel alerting that reaches the incident response team instantly, WHOIS tracking to detect registrar level changes that precede or accompany hijacking, automated baseline comparison that catches deviations a human might miss during off hours, and external resolution from trusted infrastructure that is not subject to the same compromise.
Monitor A and AAAA records on every domain that serves your frontend. Any change to these records outside of a planned deployment should trigger an immediate alert.
Monitor NS records to detect delegation changes. If your domain's NS records change without your authorization, assume your entire DNS is compromised.
Enable WHOIS monitoring for registrar level changes. Domain registrar accounts are a prime target for attackers, and changes at that level can give them full control over your DNS.
Configure multi-channel alerts so that critical DNS changes reach your team through Slack, SMS, and webhooks simultaneously. A critical alert sitting unread in an email inbox during a 47 minute attack window is the same as no alert at all.
Set the shortest viable monitoring interval. For high value domains, every minute of undetected compromise has a direct cost. DNS Assistant's alert intervals scale with plan tier, allowing you to run checks at frequencies that match the risk profile of each domain.
The CoW Swap attackers did not exploit a zero day vulnerability or crack an encryption algorithm. They changed a DNS record. The technical capability to detect that change within minutes has existed for years. The difference between a $500,000+ loss and a contained, near zero impact incident is whether automated monitoring was watching when the record changed.
The question is not whether your DNS can be hijacked. It is whether you will know about it before your users do.
On April 14, 2026, at 14:54 UTC, attackers hijacked the DNS records for swap.cow.fi, redirecting every visitor to Ethereum's leading DEX aggregator to a phishing site designed to drain connected wallets. The CoW DAO team did not issue their first public warning until 15:41 UTC, roughly 47 minutes after the hijack began. A follow up confirmation that it was indeed a DNS hijacking came at approximately 16:24 UTC, over 90 minutes into the attack.
Within three hours, the compromised frontend had facilitated approximately $1 million in stolen funds, with one wallet alone losing 219 ETH. Other estimates place confirmed losses at around $500,000, with at least one user reporting individual losses exceeding $50,000.
This was not a smart contract exploit. The protocol's backend, APIs, and on chain contracts were never compromised. The entire attack surface was the DNS layer: the system that translates swap.cow.fi into an IP address. By changing where that domain pointed, the attackers replaced a legitimate trading interface with a wallet draining clone, and users had no visible indication that anything was wrong.
The Attack Timeline
Reconstructing the sequence from public disclosures paints a clear picture of the detection gap.14:54 UTC: DNS records for swap.cow.fi are modified, redirecting the domain to attacker controlled infrastructure hosting a phishing frontend. Users visiting the site see what appears to be the normal CoW Swap interface. Any wallet connection or transaction approval routes through the malicious site, giving attackers the ability to request token approvals that drain connected wallets.
~15:41 UTC (47 minutes later): CoW DAO posts on X warning users of "an issue with the CoW Swap frontend" and advising users not to interact with the site. At this point, the team is still investigating and has not yet confirmed the root cause.
~15:55 UTC: Web3 security firm Blockaid flags the cow.fi domain as malicious and begins blocking it through its phishing detection service. MetaMask also blocks access to the domain for users with the extension installed.
~16:24 UTC (90 minutes after hijack): CoW DAO confirms the incident was a DNS hijacking. Backend and APIs are paused as a precaution. Users are told to revoke all approvals made after 14:54 UTC using tools like revoke.cash.
Later that evening: The swap.cow.fi domain is locked by the registrar, taking it offline entirely. CoW DAO confirms the domain will not be live again that night and spins up an alternative endpoint for users who rely on the platform daily.
The critical window was those first 47 minutes. From 14:54 to ~15:41 UTC, users had no warning. Every trader who visited swap.cow.fi during that window, connected a wallet, and approved a transaction was exposed to the drainer. CoW Swap processes roughly $700 million in weekly volume, making even a brief window of undetected compromise extremely high value for attackers.
How DNS Hijacking Works in DeFi
DNS hijacking targets the resolution layer of the internet. When a user types swap.cow.fi into their browser, their device queries a DNS resolver to translate that domain name into an IP address. Under normal conditions, the resolver returns the IP of CoW Swap's legitimate hosting infrastructure. During a hijack, the attacker modifies the DNS records (typically the A record or NS delegation) so that the resolver returns the IP address of a server the attacker controls.The phishing site hosted at that IP is a pixel perfect clone of the real interface. From the user's perspective, nothing looks wrong. The URL is correct. The interface is familiar. The only difference is that transaction requests are routed through malicious smart contracts that request broad token approvals, allowing the attacker to transfer assets out of the connected wallet.
This is the fundamental vulnerability that CoinDesk described as "a persistent weak point in decentralized finance": the entire security model of a non custodial protocol collapses if the frontend serving that protocol is controlled by an attacker. Smart contract audits, formal verification, and on chain security are all irrelevant when the user never reaches the real contract in the first place.
CoW Swap is not an isolated case. Curve Finance was hit by DNS hijacking in May 2025 and previously in August 2022, losing over $570,000 in the earlier incident. After the 2025 attack, Curve migrated its entire domain from curve.fi to curve.finance due to the registrar's slow response time. HypurrFi and BONKfun experienced similar frontend takeovers in early 2026. According to Hacken, Web3 projects lost $482 million to hacks and scams in Q1 2026 alone, with the majority tied to phishing and social engineering rather than smart contract exploits.
Where DNS Monitoring Would Have Changed the Outcome
The CoW Swap attack had a 47 minute detection gap before any public warning was issued. During that window, every user interaction with the frontend was a potential theft. Automated DNS monitoring eliminates this gap by detecting the record change the moment it propagates, not when a human notices something is wrong.Here is how DNS Assistant would have changed the timeline.
Immediate Detection via A Record Monitoring
When you create an alert rule for a domain in DNS Assistant, the system periodically resolves the domain's DNS records from trusted external resolvers and compares the results against the last known baseline stored in the database. The moment swap.cow.fi's A record changed to point to the attacker's IP, the system would detect the deviation from the stored baseline.On an aggressive monitoring interval (as low as 5 minutes depending on plan tier), the alert would have fired within minutes of the DNS change at 14:54 UTC, not 47 minutes later when a human discovered the problem.
Multi-Channel Alert Delivery
DNS Assistant delivers alerts through email, Slack, Microsoft Teams, webhooks, and SMS. For a domain handling hundreds of millions of dollars in weekly trading volume, the appropriate configuration is multi-channel: immediate Slack notification to the engineering channel, SMS to the on call security lead, and a webhook to the incident management platform. This ensures the right people know about the change within seconds of detection, regardless of whether they are actively monitoring dashboards.WHOIS Change Detection
DNS hijacking that involves registrar level compromise, which is how attackers modify A records or NS records for domains they do not own, often leaves traces in WHOIS data. Changes to nameserver entries, registrar metadata, or administrative contact fields at the registrar level can precede or accompany a DNS record modification. DNS Assistant's WHOIS monitoring engine tracks these fields and generates independent alerts when changes are detected, providing a second signal that corroborates the DNS record change.NS Record Baseline Alerts
If the attack involved modifying the domain's NS delegation (redirecting all resolution for the domain to attacker controlled nameservers), DNS Assistant would flag the NS record change as a separate, high severity alert event. NS changes are among the most dangerous DNS modifications because they shift the entire resolution chain, giving the attacker control over every record type for that domain.The Broader Pattern: DeFi's DNS Problem
The CoW Swap incident is a symptom of a structural issue in decentralized finance. Protocols invest heavily in smart contract security: audits, formal verification, bug bounties, and on chain monitoring. But the web frontend, the interface through which virtually all users access these contracts, runs on traditional web infrastructure. DNS, TLS certificates, CDN configurations, and domain registrar accounts are all potential points of compromise that bypass every on chain security measure.As REKT documented in their analysis of Curve Finance's 2022 DNS hijacking: "For users, DeFi protocols are only as secure as their centrally hosted front end." That observation was made in 2022 and remains accurate in 2026.
The solution is not to abandon web based frontends. It is to monitor the DNS layer with the same rigor that the industry applies to smart contracts. This means continuous record monitoring with sub-minute detection windows, multi-channel alerting that reaches the incident response team instantly, WHOIS tracking to detect registrar level changes that precede or accompany hijacking, automated baseline comparison that catches deviations a human might miss during off hours, and external resolution from trusted infrastructure that is not subject to the same compromise.
What You Should Do Today
If you operate a DeFi protocol, a Web3 application, or any service where a DNS hijacking could result in direct financial loss to your users, the minimum viable monitoring posture includes the following.Monitor A and AAAA records on every domain that serves your frontend. Any change to these records outside of a planned deployment should trigger an immediate alert.
Monitor NS records to detect delegation changes. If your domain's NS records change without your authorization, assume your entire DNS is compromised.
Enable WHOIS monitoring for registrar level changes. Domain registrar accounts are a prime target for attackers, and changes at that level can give them full control over your DNS.
Configure multi-channel alerts so that critical DNS changes reach your team through Slack, SMS, and webhooks simultaneously. A critical alert sitting unread in an email inbox during a 47 minute attack window is the same as no alert at all.
Set the shortest viable monitoring interval. For high value domains, every minute of undetected compromise has a direct cost. DNS Assistant's alert intervals scale with plan tier, allowing you to run checks at frequencies that match the risk profile of each domain.
The CoW Swap attackers did not exploit a zero day vulnerability or crack an encryption algorithm. They changed a DNS record. The technical capability to detect that change within minutes has existed for years. The difference between a $500,000+ loss and a contained, near zero impact incident is whether automated monitoring was watching when the record changed.
The question is not whether your DNS can be hijacked. It is whether you will know about it before your users do.
