CoW Swap got hijacked on April 14, and the attack had nothing to do with DeFi.
Attackers took control of the Ethereum decentralized exchange’s domain at the DNS level and redirected users to a clone site. The fake interface prompted visitors to sign token approval transactions that gave the attacker permission to drain their wallets. Cybersecurity researcher Vladimir S. estimates roughly $500,000 was stolen from a small number of addresses. At least one user publicly claimed losses exceeding $50,000.
The protocol’s smart contracts, backend, and APIs were never compromised. CoW paused everything anyway as a precaution.
“We have evidence that a small number of users signed malicious approvals for very small amounts.”, MooKeeper, CoW Swap team member
Gnosis co-founder Martin Koppelmann confirmed the scope appeared limited: only users who visited the compromised site after approximately 14:54 UTC on April 14 and signed the malicious approvals were affected. The CoW team instructed anyone who interacted with the site during that window to immediately revoke all token approvals using Etherscan’s approval checker.
This is becoming a pattern. Curve Finance suffered the exact same attack vector in 2022 (roughly $570,000 drained) and again in May 2025 (DNS record manipulation, losses unspecified). Same playbook every time: hijack the domain, serve a malicious front-end, harvest approvals.
The irony is thick. DeFi protocols spend millions on smart contract audits, formal verification, and bug bounties. The contracts are battle-tested. Then the whole thing gets undone by a domain registrar compromise that any web2 phishing crew could pull off.
The fix isn’t complicated in theory. Decentralized front-ends, IPFS-hosted interfaces, ENS domains, client-side signature verification. But almost no major DeFi protocol actually ships these as defaults. The user experience gap between a traditional web interface and a decentralized one is still wide enough that protocols choose convenience over resilience.
Why We’re Watching
DNS hijacking is now the most reliable attack vector in DeFi, and it has nothing to do with blockchain security. Three major incidents in four years, same attack, same outcome. The smart contracts survive. The web infrastructure doesn’t. That’s a problem for every DeFi protocol that serves users through a traditional domain.
For African DeFi users who access protocols primarily through mobile browsers (often on slower connections where loading IPFS interfaces is impractical), front-end security is the entire security model. If the website you’re visiting isn’t the real one, your on-chain protections are meaningless.
Watch whether CoW Swap and Curve finally migrate to decentralized front-end hosting after this. If they don’t, the next $500,000 DNS hijack is a matter of when, not if.