This post was originally published on Coinspeaker
CoW Swap, the Ethereum-based decentralized exchange aggregator, paused its protocol on April 14, 2026, after attackers seized control of its website domain and redirected users to a malicious site engineered to harvest wallet approvals, with cybersecurity researcher Vladimir S. estimating approximately $500,000 in digital assets drained, and at least one user reporting individual losses exceeding $50,000.
The protocol’s underlying smart contracts and backend APIs were confirmed unaffected; the attack surface was the front-end interface alone. We suspect this is less a story about CoW Swap’s specific security posture and more a structural signal about the DeFi industry’s persistent, underweighted exposure to UI-layer infrastructure attacks – a threat vector that smart contract audits do not reach.
DISCOVER: Best crypto to buy right now – CoinSpeaker’s updated guide
CoW Swap Front-End Compromise: DNS Hijacking, Malicious Approvals, and What the Protocol Has Confirmed
The mechanism functions as follows: attackers gained administrative control of CoW Swap’s website domain – the cow.fi address that users navigate to before interacting with the protocol – and redirected that domain to a malicious site designed to mimic the legitimate interface.
Users who visited the site and signed transaction approvals during the window following 14:54 UTC on April 14
— Read the rest of this post, which was originally published on Coinspeaker.
