Back

CoW Swap Regains Control of cow.fi Domain After Social Engineering Attack

Severity: Medium (Score: 57.8)

Sources: Thedefiant, Bitget, Mexc, Kucoin

Summary

On April 14, 2026, CoW Swap's cow.fi domain was compromised through a social engineering attack that deceived the DNS registrar with forged documents. The attacker created a phishing website that operated in two phases: first, tricking users into signing malicious transactions via a wallet drainer, and second, stealing mnemonic phrases and passwords through fake wallet pop-ups. This attack did not exploit CoW Swap's infrastructure or involve any private key leaks. Affected users are advised to use tools like Revoke.cash to revoke all approvals and consider transferring their funds to new wallets. As of April 16, CoW Swap has regained control of the cow.fi domain and is transitioning back from cow.finance. The incident highlights the vulnerabilities in domain registration processes and the importance of user vigilance against phishing attempts. Key Points: • CoW Swap's cow.fi domain was compromised via social engineering on April 14, 2026. • The attack involved a two-phase phishing scheme targeting users' wallets and credentials. • Affected users are advised to revoke permissions and consider moving funds to new wallets.

Key Entities

  • Phishing (attack_type)
  • Cow DAO (company)
  • CoW Swap (company)
  • Korea (country)
  • cow.fi (domain)
  • trade.xyz (domain)
  • T1056 - Input Capture (mitre_attack)
  • T1566 - Phishing (mitre_attack)
  • Revoke.cash (tool)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed