Security firm Blockaid flagged the CoW Swap frontend as malicious through its real-time dApp scanning system. CoW DAO confirmed it was aware of the attack and launched an active investigation, telling users to "refrain from accessing CoWSwap" until further notice. As of publication, the protocol's smart contracts had not been confirmed as directly compromised. The attack appears contained to the frontend layer, meaning the underlying on-chain infrastructure may be intact, but users who connected wallets to the fraudulent site remain at risk.

CoW Swap is an intent-based decentralized exchange (DEX) aggregator built on Ethereum. It routes orders through competitive "solver" auctions, offering MEV (maximal extractable value) protection and peer-to-peer matching through a mechanism called Coincidence of Wants (CoW). That architecture matters here: the protocol's on-chain infrastructure is separate from its web frontend, which is why a DNS attack can compromise user funds without touching a single line of audited smart contract code.

How the Attack Works

Domain name system (DNS) hijacking works by modifying or redirecting the routing records that link a web address to a server. Attackers gain access through a domain registrar or DNS provider, then silently redirect a legitimate URL to a replica site they control. Anyone who visits the fake site and approves a transaction hands over wallet permissions to malicious contracts. Unlike smart contract exploits, this attack vector bypasses all on-chain code audits entirely.

Why the Blast Radius Is Larger Than It Looks

CoW Swap is not a standalone product. Since December 2025, it has served as the default swap engine inside Aave's interface, powering collateral swaps, loan repayments, and position exits for users of the largest lending protocol in DeFi. Aave holds approximately $38.7 billion in total value locked across all versions, representing roughly 30% of the entire DeFi sector. CoW Swap is also embedded in Safe (formerly Gnosis Safe), the dominant multi-signature wallet used by institutions and DAOs to manage treasury assets on Ethereum.

Aave Labs described the integration in December 2025 as bringing "CoW Protocol's powerful technology to Aave's lending ecosystem, unlocking safer, cheaper, and smarter swaps for millions of DeFi users." That reach now amplifies the exposure surface of a frontend attack.

The COW token traded around $0.22 at the time of the incident, with a 24-hour gain of roughly 4%, suggesting markets did not immediately price in severe protocol-level damage. The token carries a market cap of approximately $117 to $134 million and a fully diluted valuation near $209 million, with around 553 to 561 million tokens in circulation out of a 1 billion total supply.

A Pattern, Not an Outlier

This is not an isolated event. Aerodrome Finance, a major decentralized exchange on Base, lost over $1 million in a DNS hijack that redirected users to a convincing fake interface. Neutrl DeFi suffered a similar attack in March 2026 and paused its smart contracts while urging users to revoke token approvals via revoke.cash. HypurrFi launched a domain hijacking investigation in early April 2026. Garden Finance, Typus Finance, and Abracadabra collectively lost $16.2 million in DNS-related breaches in October 2025.

According to a 2025 report from security firm Halborn, off-chain attacks including DNS and frontend compromises accounted for 56.5% of all DeFi security incidents and 80.5% of stolen funds in 2024. A separate analysis by The Defiant found more than 120 DeFi frontends potentially vulnerable to DNS attacks.

CoW Swap itself has prior security history. In February 2023, a rogue solver exploited the protocol's whitelisting mechanism and drained $180,000 from users. In March 2026, a trader lost approximately $50 million while using Aave's CoW-powered swap interface, with MEV bots extracting around $9.9 million and block builder Titan Builder capturing roughly $34 million in ETH from the transaction. That incident produced dueling post-mortems from both Aave and CoW Protocol, signaling existing friction between the two integrated protocols and adding further weight to the current attack's stakes.

Regional Exposure

Users in South Asia and Africa face compounded risk. India ranks among the top global markets for DeFi adoption, and Indian users accessing Aave's swap interface are directly exposed to this incident. Across the broader Asia-Pacific region, approximately 350 million wallet users represent around 43% of the global crypto wallet base, making the region's exposure to any frontend compromise significant in scale.

Africa's crypto wallet base has grown to approximately 75 million users and is the fastest-growing regional segment globally, but its mobile-first, browser-dependent usage pattern offers no additional security layer against a spoofed site. South Africa approaches 20% DeFi adoption rates, yet the technical literacy required to navigate alternatives such as ENS mirrors cannot be assumed for newly onboarded retail users.

The threat to DNS infrastructure in these regions is not only criminal in origin. In April 2026, the U.S. Department of Justice, the FBI, and the UK's National Cyber Security Centre documented a SOHO router DNS hijacking campaign attributed to Russian state actors identified as APT28, a unit of Russian military intelligence. That campaign targeted DNS infrastructure across multiple regions, including parts of Africa, reframing the underlying risk as a geopolitical and systemic infrastructure problem rather than a matter of opportunistic criminal activity alone.

What to Do Now

Users who have recently connected a wallet to cow.fi should revoke token approvals immediately using revoke.cash. Aave users relying on CoW-powered swaps should pause position management activity until CoW DAO issues a formal all-clear. Safe wallet users with active CoW-integrated TWAP orders (time-weighted average price orders that execute trades gradually over time) should audit their approval status. Updates will come through CoW DAO's official account at @CoWSwap.

The full scope of losses and the specific registrar or DNS provider compromised have not yet been confirmed. CoW DAO's post-incident findings will determine whether this attack follows the same template as Aerodrome and Neutrl or represents a more sophisticated intrusion. Either way, it adds fresh evidence to the argument that DeFi's security perimeter ends well before the blockchain begins.