darkmatter logo

swap.cow.fi DNS Hijack

darkmatter's on-chain record of the April 14, 2026 incident. Published . Last updated .

Amount lost
$563,422
ETH + USDC · Base + Ethereum mainnet
Loss rank
Largest known*
*By our current public-evidence review. Among single-wallet losses we have documented from this incident. method →
Status
Open
Draft grants proposal posted 2026-04-23. Snapshot vote proposed 2026-04-30 -> 2026-05-07.

tl;dr

what
On April 14, 2026, CoW Swap's frontend at swap.cow.fi was hijacked via DNS, redirecting users to a phishing site. CoW Protocol's backend and smart contracts were not affected. CoW's April 16 post-mortem says the phishing flow first triggered malicious wallet interactions and later fake wallet-unlock prompts requesting seed phrases and passwords.
now
On April 23, 2026, CoW core contributors posted a draft discretionary-grants program on forum.cow.fi. If approved, the proposed vote window is April 30-May 7, claims would close May 14, and target payouts would conclude by May 31. The draft explicitly excludes users who entered seed phrases.
us
darkmatter's wallet v.drkmttr.eth was drained for $563,422 in ETH and USDC across Base and Ethereum mainnet starting at 17:36 UTC.
scale
We are, by our current public-evidence review, the largest single-wallet victim of this incident — our $563,422 loss is approximately 47% of the ~$1.2M total user losses CoW DAO published in its April 16 post-mortem (as of that date; denominator subject to revision by CoW).
why this page exists
To be the single factual record of our experience — timeline, on-chain evidence, and all third-party coverage in one place.

who we are

darkmatter is a small, technical team that builds on-chain infrastructure, trades at scale, and ships open-source tools for the community. In the 9 months before the hijack, we routed $37.4M through CoW Swap — 646 trades across 36 wallets, all through CoW's native interface. This is our first public communication. We're publishing it because what happens next to our losses, and to the on-chain record, is a matter of public interest. The facts deserve a durable home.

volume routed via cow swap
$37.4M
36 wallets · 646 trades · 9 months · verified from public Dune tables
loss in this incident
$563,422
ETH + USDC · Base + Ethereum mainnet · 17:36 UTC

what happened · timeline (utc)

  1. Pre-attack: Traficom transfer dispute opened (per CoW post-mortem)
    Per CoW DAO's April 16 post-mortem: an attacker impersonating a senior CoW DAO contributor opens a transfer dispute with Traficom (the Finnish .fi registry). Traficom requests clarification from the registrar (Gandi SAS). Gandi does not respond by Traficom's April 7 deadline.
    CoW DAO post-mortem →archived →
  2. Domain holder contact email changed (Gandi, per Traficom registry log)
    Per CoW's post-mortem citing Traficom registry logs: the cow.fi domain's registered contact email is changed from CoW's legitimate address to an attacker-controlled email. Mechanism by which Gandi was compelled to make this change remains, per the post-mortem, under investigation.
    CoW DAO post-mortem →archived →
  3. New registrar transfer key created (Gandi, per Traficom registry log)
    Per CoW's post-mortem: Gandi creates a new registrar transfer key for cow.fi.
    CoW DAO post-mortem →archived →
  4. Phase 3 — domain transfer + phishing deployment (per CoW post-mortem)
    Per CoW's post-mortem ("Phase 3 — Domain transfer and phishing deployment, ~13:38–14:57 UTC"): cow.fi is transferred to NETIM, nameservers are repointed to attacker-controlled Cloudflare, a wildcard Let's Encrypt certificate is issued, and a phishing site mimicking the CoW Swap interface is deployed. The phishing site begins serving from approximately 13:38 UTC — approximately 2 hours and 3 minutes before CoW DAO's first public-alert tweet at ~15:41 UTC.
    CoW DAO post-mortem →archived →
  5. swap.cow.fi DNS hijacked — CoW DAO's originally-cited start time
    CoW DAO's first public-alert tweet (timestamped ~15:41 UTC; see entry below) cited 14:54 UTC as the hijack start. The April 16 post-mortem subsequently revises this: phishing was actually live from ~13:38 UTC (see Phase 3 entry above).
    CoW DAO statement on X →archived →
  6. First public warning (independent researcher)
    Security researcher pcaversaccio flags cow.fi UI / DNS compromise on X and warns users not to interact.
    x.com/pcaversaccio →archived →
  7. MetaMask Phishing Detection blocks the dapp
    MetaMask confirms phishing-detection block on the CoW Swap frontend; users with MetaMask see a roadblock.
    x.com/MetaMask →archived →
  8. CoW DAO public alert
    CoW DAO tells users to stop interacting with swap.cow.fi. Backend/APIs temporarily paused as precaution.
    CoW DAO alert →archived →
  9. CoW confirms DNS hijack, asks for approval revocations
    CoW DAO confirms DNS hijacking and asks users to revoke all approvals made on CoW Swap after 14:54 UTC.
    CoW DAO follow-up →archived →
  10. darkmatter wallet v.drkmttr.eth drained
    $563,422 in ETH and USDC exits wallet 0xbBb0…aBbb across Base and Ethereum mainnet.
    Basescan address →
  11. Phishing escalates to seed-phrase / password collection (per CoW)
    Per CoW's post-mortem: the phishing page is updated with fake wallet unlock modals (mimicking Rabby, Coinbase Wallet, etc.) prompting users for seed phrases and passwords.
    CoW DAO post-mortem →archived →
  12. Fallback domain after NETIM holds cow.fi (swap.cow-s.fo)
    Per CoW's post-mortem: after NETIM places cow.fi on hold, the attacker redirects to swap.cow-s.fo on a Faroe Islands TLD.
    CoW DAO post-mortem →archived →
  13. cow.fi domain locked by registrar
    CoW team reports swap.cow.fi locked and inaccessible while working with registrar and security partners to assert control.
    The Defiant →archived →
  14. Domain recovered to AWS account; RegistryLock applied
    Per CoW's post-mortem: cow.fi is restored to CoW's AWS account with a registry-level lock applied at the registrar level — which CoW notes was "previously technically unavailable by AWS Route 53."
    CoW DAO post-mortem →archived →
  15. CoW DAO publishes post-mortem
    Post-mortem published as an X Article. Key points: supply-chain attack at the .fi registry/registrar interface; RegistryLock not enabled prior to the attack; estimated total user losses ~$1.2M; further compensation beyond legal-recovery proceeds framed as a future CoW DAO governance decision.
    CoW DAO post-mortem →archived →
  16. CoW core contributors publish draft discretionary-grants program
    On forum.cow.fi, CoW core contributors publish a draft CIP proposing ex gratia grants funded from the Legal Defense Reserve. Proposed timeline: Snapshot vote April 30-May 7, claims due May 14, target payouts by May 31 if approved. The draft says it is "not appropriate to refund users who entered their wallet's seed phrase, as this is not behavior that impersonates CoW Swap - or any DEX for that matter."
    CoW DAO forum draft ->archived →

cow dao initial alert

CoW DAO tweet: UPDATE — CoW Swap experienced a DNS hijacking at 14:54 UTC. Backend and APIs not impacted but paused as precaution. 279.5K views, Apr 14, 2026.

cow dao post-mortem (2026-04-16)

CoW DAO X Article: POST MORTEM — Cow.fi Domain Hijack. Date April 16, 2026. Status: Published — investigation ongoing. Classification: Supply-chain attack (domain registrar/registry level).

Source: CoWSwap/status/2044924940886163780 → (archive).

The post-mortem confirms the attack vector and the timeline cited above. The most material key points, quoted verbatim from the source:

  • Attack location: “occurred entirely within the domain registration supply chain, specifically at the interface between the Finnish domain registry (Traficom) and the registrar (Gandi SAS, selected unilaterally by AWS).”
  • No protocol breach: “our hosted zone, frontend, backend APIs, smart contracts, and all signing infrastructure remained intact and uncompromised throughout the incident.”
  • RegistryLock absent pre-incident: “RegistryLock was not enabled on cow.fi prior to the attack. While it is now enabled post-recovery, the .fi TLD did not support transfer lock (clientTransferProhibited) via AWS Route 53.”
  • Pre-attack dispute window: “The attacker contacted Traficom impersonating a senior contributor related to CoW DAO […]. Traficom opened an investigation and requested clarifications from Gandi, which went unanswered past the April 7 deadline.”
  • Mechanism still unknown at registrar: “How the attacker was able to compel Gandi to perform these actions is still under investigation.”
  • Total user losses estimate: “[B]ased on this analysis, we estimate the likely loss attributable to users at approximately ~$1.2M.”
  • Compensation framing: “Any proceeds recovered through legal enforcement actions against the involved parties will be allocated toward reimbursing users who incurred losses as a result of this incident. Any additional reimbursement measures, beyond funds recovered through legal channels, would be subject to a decision by the CoW DAO governance process.”

cow dao discretionary-grants draft (2026-04-23)

Source: forum.cow.fi thread 3431 - published 2026-04-23 19:31 UTC -> (archive).

On April 23, 2026, CoW core contributors posted a draft forum proposal titled “CIP-DRAFT: Discretionary grants program for victims of the cow.fi domain hijacking”. This is a proposed governance action, not approved policy. The published draft calls for Snapshot voting from April 30 to May 7, claims due by May 14, verification complete by May 21, and discretionary grant payments by May 31 if the proposal passes.

  • Pre-incident CoW usage: the wallet must have traded on CoW Swap at least once before the incident.
  • Incident-linking requirement: the wallet owner must have signed a malicious message or transaction with the specific drainer contract active on the phishing site. The draft does not publish that contract list or matching methodology.
  • KYC requirement: claimants must identify themselves through a KYC process before payment.
  • Claims channel: the draft directs affected users to submit claims to [email protected] with a specified subject line, impacted wallet address, drained assets, and owner name.
  • Seed-phrase exclusion: the draft says it is “not appropriate to refund users who entered their wallet's seed phrase, as this is not behavior that impersonates CoW Swap - or any DEX for that matter.”

The draft frames any payment as voluntary and ex gratia, funded from the Legal Defense Reserve, and conditions payment on a broad settlement of claims arising from this incident.

In a follow-up forum reply published on 2026-04-24 01:30 UTC, CoW contributor marshy said that any proceeds recovered through legal enforcement would first be allocated to victims of this incident who do not qualify for a discretionary grant under the draft, with later allocation otherwise still to be determined.

our loss · methodology

wallet
0xbBb0514b41De96F47D72DE6e176FAa664aC3aBbb
ens
v.drkmttr.eth
chain
Base + Ethereum mainnet
amount
$563,422 · ETH + USDC
time
2026-04-14 · 17:36 UTC

transactions

  1. 1. Base USDC214,474.83 USDC · ~$214,475
  2. 2. Mainnet ETH0.068466 ETH · ~$160
    attacker
    0x000037bB05B2CeF17c6469f4BcDb198826Ce0000(As of 2026-04-16, labeled by Etherscan as Fake_Phishing188250)
  3. 3. Base ETH149.26 ETH · ~$348,787

USD values reflect ETH spot price near drain time; sum matches the $563,422 total above.

Transaction shape. The three listed drain transactions are outward transfers initiated from the victim wallet: one direct ERC-20 transfer(address,uint256) call and two direct native asset transfers with empty calldata, verified against the public transaction hashes listed above. This is not the standard transferFrom-style approval-pull pattern by a third-party spender contract. We note this because CoW's April 23 draft ties grant eligibility to signing with a specific drainer contract, but that contract list is not yet public.

Context vs. CoW's published total (as of 2026-04-16). In its April 16 post-mortem, CoW DAO estimates total user losses across all affected wallets at approximately $1.2M. Our single-wallet loss of $563,422 represents approximately 47% of that figure as of that date. CoW's loss-aggregation methodology is not published. This page will be updated if CoW revises the denominator or if additional verifiable single-wallet losses surface.

Ranking methodology. Our victim ranking is based on on-chain analysis of attacker-cluster outflows, filtered to exclude known contracts and protocol intermediaries. The methodology is still being refined and will be published here when finalized. Rank language on this page is provisional and will be downgraded immediately if a larger documented single-wallet loss is identified.

Source tables on Dune: gpv2settlement_evt_trade, base.traces, erc20_base.evt_Transfer.

open factual questions

The April 16 post-mortem references several items it does not yet resolve. We list them here as open factual questions for completeness of the record. This page will be updated as CoW DAO or third parties publish answers.

  1. Loss aggregation methodology. The ~$1.2M total user-loss estimate is presented without a published methodology (no attacker-cluster outflow disclosure, no included/excluded address criteria).
  2. Pre-attack notification. The post-mortem confirms a Traficom transfer dispute concerning cow.fi was opened in late March or early April; that Traficom requested clarification from the registrar (Gandi); and that Gandi did not respond by Traficom's April 7 deadline. The post-mortem does not state whether Gandi notified CoW that the dispute had been opened.
  3. Discretionary-grants timeline. CoW has now published a proposed draft timeline for the discretionary-grants track, but the program remains contingent on Snapshot approval and could still change.
  4. Legal-recovery timeline. The post-mortem says legal-recovery proceeds would be allocated toward reimbursing users, but there is still no published timeline for that separate track.
  5. Claims verification methodology. The draft now publishes a claims email and KYC flow, but it does not publish the contract list, wallet-matching methodology, or edge-case handling criteria.
  6. Seed-phrase and direct-control cases. The April 16 post-mortem says the phishing site attempted seed phrase collection as part of the incident. The April 23 draft excludes users who entered seed phrases, arguing this is “not appropriate to refund users who entered their wallet's seed phrase, as this is not behavior that impersonates CoW Swap - or any DEX for that matter.” The published technical or UX basis for that line is not yet explained.
  7. Public chronology of phishing variants. The post-mortem timestamps the fake wallet-unlock modal rollout at approximately 17:49 UTC. darkmatter's listed drain transactions begin at 17:36:39 UTC. It is not public whether an earlier phishing mode also captured wallet control before that modal rollout.
  8. Mandiant review scope. The post-mortem confirms Mandiant has been retained for a security review; it does not state whether the review will cover this specific incident (post hoc) or only forward-looking posture, nor whether the review will be published.
  9. Third-party post-mortems. The post-mortem notes that AWS and Gandi post-mortems have not yet been received. Whether those will be published when received is not stated.

primary sources

press coverage

changelog

  1. Updated the page for the April 23 forum draft discretionary-grants proposal. Added a new timeline entry and reimbursement section covering the proposed Snapshot vote window (April 30-May 7), claims deadline (May 14), target payout date (May 31), published claims/KYC flow, ex gratia framing, and the draft's stated seed-phrase exclusion rationale; added a transaction-shape note to methodology; rewrote stale open questions into separate discretionary-grants vs. legal-recovery tracks; and expanded primary sources to include the forum draft.
  2. Incorporated CoW DAO's April 16 post-mortem. Added pre-attack, Phase-3, and later timeline entries (late-March/Apr-7 Traficom dispute, 12:16 UTC contact-email change, 12:43 UTC transfer-key creation, ~13:38–14:57 UTC phishing window, phishing escalation, fallback-domain pivot, recovery, and post-mortem publication); reframed the 14:54 UTC entry as CoW's originally-cited start time (post-mortem revises to ~13:38 UTC); added a quoted post-mortem section; contextualized our $563,422 loss as ~47% of CoW's published $1.2M total (as of 2026-04-16); added an open-factual-questions section; split coverage into Statements + Press; qualified the "Largest known" loss-rank card; and synced the JSON-LD startDate to 13:38 UTC.
  3. Added the three on-chain drain transactions (Base USDC, Mainnet ETH, Base ETH) with hashes, attacker addresses, amounts, and timestamps verified against Basescan and Etherscan. Loss scope widened from 'on Base' to 'across Base and Ethereum mainnet' to reflect the Mainnet ETH leg.
  4. Record opened. Timeline, loss details, evidence, and press coverage published.

contact [email protected]

© 2026 darkmatter Labs, LLC. This page is a factual record. It will be updated with a stamped changelog entry for any material change.