darkmatter logo

swap.cow.fi DNS Hijack

darkmatter's on-chain record of the April 14, 2026 incident. Published . Last updated .

Amount lost
$563,422
ETH + USDC · Base + Ethereum mainnet
Loss rank
Largest known*
*By our current public-evidence review. Among single-wallet losses we have documented from this incident. method →
Status
Open
Post-mortem published 2026-04-16. Recovery and disclosure ongoing.

tl;dr

what
On April 14, 2026, CoW Swap's frontend at swap.cow.fi was hijacked via DNS, redirecting users to a wallet drainer. CoW Protocol's backend and smart contracts were not affected.
us
darkmatter's wallet v.drkmttr.eth was drained for $563,422 in ETH and USDC across Base and Ethereum mainnet starting at 17:36 UTC.
scale
We are, by our current public-evidence review, the largest single-wallet victim of this incident — our $563,422 loss is approximately 47% of the ~$1.2M total user losses CoW DAO published in its April 16 post-mortem (as of that date; denominator subject to revision by CoW).
why this page exists
To be the single factual record of our experience — timeline, on-chain evidence, and all third-party coverage in one place.

who we are

darkmatter is a small, technical team that builds on-chain infrastructure, trades at scale, and ships open-source tools for the community. In the 9 months before the hijack, we routed $37.4M through CoW Swap — 646 trades across 36 wallets, all through CoW's native interface. This is our first public communication. We're publishing it because what happens next to our losses, and to the on-chain record, is a matter of public interest. The facts deserve a durable home.

volume routed via cow swap
$37.4M
36 wallets · 646 trades · 9 months · verified from public Dune tables
loss in this incident
$563,422
ETH + USDC · Base + Ethereum mainnet · 17:36 UTC

what happened · timeline (utc)

  1. Pre-attack: Traficom transfer dispute opened (per CoW post-mortem)
    Per CoW DAO's April 16 post-mortem: an attacker impersonating a senior CoW DAO contributor opens a transfer dispute with Traficom (the Finnish .fi registry). Traficom requests clarification from the registrar (Gandi SAS). Gandi does not respond by Traficom's April 7 deadline.
    CoW DAO post-mortem →archived →
  2. Domain holder contact email changed (Gandi, per Traficom registry log)
    Per CoW's post-mortem citing Traficom registry logs: the cow.fi domain's registered contact email is changed from CoW's legitimate address to an attacker-controlled email. Mechanism by which Gandi was compelled to make this change remains, per the post-mortem, under investigation.
    CoW DAO post-mortem →archived →
  3. New registrar transfer key created (Gandi, per Traficom registry log)
    Per CoW's post-mortem: Gandi creates a new registrar transfer key for cow.fi.
    CoW DAO post-mortem →archived →
  4. Phase 3 — domain transfer + phishing deployment (per CoW post-mortem)
    Per CoW's post-mortem ("Phase 3 — Domain transfer and phishing deployment, ~13:38–14:57 UTC"): cow.fi is transferred to NETIM, nameservers are repointed to attacker-controlled Cloudflare, a wildcard Let's Encrypt certificate is issued, and a phishing site mimicking the CoW Swap interface is deployed. The phishing site begins serving from approximately 13:38 UTC — approximately 2 hours and 3 minutes before CoW DAO's first public-alert tweet at ~15:41 UTC.
    CoW DAO post-mortem →archived →
  5. swap.cow.fi DNS hijacked — CoW DAO's originally-cited start time
    CoW DAO's first public-alert tweet (timestamped ~15:41 UTC; see entry below) cited 14:54 UTC as the hijack start. The April 16 post-mortem subsequently revises this: phishing was actually live from ~13:38 UTC (see Phase 3 entry above).
    CoW DAO statement on X →archived →
  6. First public warning (independent researcher)
    Security researcher pcaversaccio flags cow.fi UI / DNS compromise on X and warns users not to interact.
    x.com/pcaversaccio →archived →
  7. MetaMask Phishing Detection blocks the dapp
    MetaMask confirms phishing-detection block on the CoW Swap frontend; users with MetaMask see a roadblock.
    x.com/MetaMask →archived →
  8. CoW DAO public alert
    CoW DAO tells users to stop interacting with swap.cow.fi. Backend/APIs temporarily paused as precaution.
    CoW DAO alert →archived →
  9. CoW confirms DNS hijack, asks for approval revocations
    CoW DAO confirms DNS hijacking and asks users to revoke all approvals made on CoW Swap after 14:54 UTC.
    CoW DAO follow-up →archived →
  10. darkmatter wallet v.drkmttr.eth drained
    $563,422 in ETH and USDC exits wallet 0xbBb0…aBbb across Base and Ethereum mainnet.
    Basescan address →
  11. Phishing escalates to seed-phrase / password collection (per CoW)
    Per CoW's post-mortem: the phishing page is updated with fake wallet unlock modals (mimicking Rabby, Coinbase Wallet, etc.) prompting users for seed phrases and passwords.
    CoW DAO post-mortem →archived →
  12. Fallback domain after NETIM holds cow.fi (swap.cow-s.fo)
    Per CoW's post-mortem: after NETIM places cow.fi on hold, the attacker redirects to swap.cow-s.fo on a Faroe Islands TLD.
    CoW DAO post-mortem →archived →
  13. cow.fi domain locked by registrar
    CoW team reports swap.cow.fi locked and inaccessible while working with registrar and security partners to assert control.
    The Defiant →archived →
  14. Domain recovered to AWS account; RegistryLock applied
    Per CoW's post-mortem: cow.fi is restored to CoW's AWS account with a registry-level lock applied at the registrar level — which CoW notes was "previously technically unavailable by AWS Route 53."
    CoW DAO post-mortem →archived →
  15. CoW DAO publishes post-mortem
    Post-mortem published as an X Article. Key points: supply-chain attack at the .fi registry/registrar interface; RegistryLock not enabled prior to the attack; estimated total user losses ~$1.2M; further compensation beyond legal-recovery proceeds framed as a future CoW DAO governance decision.
    CoW DAO post-mortem →archived →

cow dao initial alert

CoW DAO tweet: UPDATE — CoW Swap experienced a DNS hijacking at 14:54 UTC. Backend and APIs not impacted but paused as precaution. 279.5K views, Apr 14, 2026.

cow dao post-mortem (2026-04-16)

CoW DAO X Article: POST MORTEM — Cow.fi Domain Hijack. Date April 16, 2026. Status: Published — investigation ongoing. Classification: Supply-chain attack (domain registrar/registry level).

Source: CoWSwap/status/2044924940886163780 → (archive).

The post-mortem confirms the attack vector and the timeline cited above. The most material key points, quoted verbatim from the source:

  • Attack location: “occurred entirely within the domain registration supply chain, specifically at the interface between the Finnish domain registry (Traficom) and the registrar (Gandi SAS, selected unilaterally by AWS).”
  • No protocol breach: “our hosted zone, frontend, backend APIs, smart contracts, and all signing infrastructure remained intact and uncompromised throughout the incident.”
  • RegistryLock absent pre-incident: “RegistryLock was not enabled on cow.fi prior to the attack. While it is now enabled post-recovery, the .fi TLD did not support transfer lock (clientTransferProhibited) via AWS Route 53.”
  • Pre-attack dispute window: “The attacker contacted Traficom impersonating a senior contributor related to CoW DAO […]. Traficom opened an investigation and requested clarifications from Gandi, which went unanswered past the April 7 deadline.”
  • Mechanism still unknown at registrar: “How the attacker was able to compel Gandi to perform these actions is still under investigation.”
  • Total user losses estimate: “[B]ased on this analysis, we estimate the likely loss attributable to users at approximately ~$1.2M.”
  • Compensation framing: “Any proceeds recovered through legal enforcement actions against the involved parties will be allocated toward reimbursing users who incurred losses as a result of this incident. Any additional reimbursement measures, beyond funds recovered through legal channels, would be subject to a decision by the CoW DAO governance process.”

our loss · methodology

wallet
0xbBb0514b41De96F47D72DE6e176FAa664aC3aBbb
ens
v.drkmttr.eth
chain
Base + Ethereum mainnet
amount
$563,422 · ETH + USDC
time
2026-04-14 · 17:36 UTC

transactions

  1. 1. Base USDC214,474.83 USDC · ~$214,475
  2. 2. Mainnet ETH0.068466 ETH · ~$160
    attacker
    0x000037bB05B2CeF17c6469f4BcDb198826Ce0000(As of 2026-04-16, labeled by Etherscan as Fake_Phishing188250)
  3. 3. Base ETH149.26 ETH · ~$348,787

USD values reflect ETH spot price near drain time; sum matches the $563,422 total above.

Context vs. CoW's published total (as of 2026-04-16). In its April 16 post-mortem, CoW DAO estimates total user losses across all affected wallets at approximately $1.2M. Our single-wallet loss of $563,422 represents approximately 47% of that figure as of that date. CoW's loss-aggregation methodology is not published. This page will be updated if CoW revises the denominator or if additional verifiable single-wallet losses surface.

Ranking methodology. Our victim ranking is based on on-chain analysis of attacker-cluster outflows, filtered to exclude known contracts and protocol intermediaries. The methodology is still being refined and will be published here when finalized. Rank language on this page is provisional and will be downgraded immediately if a larger documented single-wallet loss is identified.

Source tables on Dune: gpv2settlement_evt_trade, base.traces, erc20_base.evt_Transfer.

open factual questions

The April 16 post-mortem references several items it does not yet resolve. We list them here as open factual questions for completeness of the record. This page will be updated as CoW DAO or third parties publish answers.

  1. Loss aggregation methodology. The ~$1.2M total user-loss estimate is presented without a published methodology (no attacker-cluster outflow disclosure, no included/excluded address criteria).
  2. Pre-attack notification. The post-mortem confirms a Traficom transfer dispute concerning cow.fi was opened in late March or early April; that Traficom requested clarification from the registrar (Gandi); and that Gandi did not respond by Traficom's April 7 deadline. The post-mortem does not state whether Gandi notified CoW that the dispute had been opened.
  3. Compensation timeline. The post-mortem commits to allocating legal-recovery proceeds to user reimbursement and references a future CoW DAO governance process for anything beyond. No timeline is published for either track.
  4. Victim outreach. The post-mortem does not describe a structured claims process or direct outreach to identifiable victims.
  5. Mandiant review scope. The post-mortem confirms Mandiant has been retained for a security review; it does not state whether the review will cover this specific incident (post hoc) or only forward-looking posture, nor whether the review will be published.
  6. Third-party post-mortems. The post-mortem notes that AWS and Gandi post-mortems have not yet been received. Whether those will be published when received is not stated.

statements from cow dao

press coverage

changelog

  1. Incorporated CoW DAO's April 16 post-mortem. Added pre-attack, Phase-3, and later timeline entries (late-March/Apr-7 Traficom dispute, 12:16 UTC contact-email change, 12:43 UTC transfer-key creation, ~13:38–14:57 UTC phishing window, phishing escalation, fallback-domain pivot, recovery, and post-mortem publication); reframed the 14:54 UTC entry as CoW's originally-cited start time (post-mortem revises to ~13:38 UTC); added a quoted post-mortem section; contextualized our $563,422 loss as ~47% of CoW's published $1.2M total (as of 2026-04-16); added an open-factual-questions section; split coverage into Statements + Press; qualified the "Largest known" loss-rank card; and synced the JSON-LD startDate to 13:38 UTC.
  2. Added the three on-chain drain transactions (Base USDC, Mainnet ETH, Base ETH) with hashes, attacker addresses, amounts, and timestamps verified against Basescan and Etherscan. Loss scope widened from 'on Base' to 'across Base and Ethereum mainnet' to reflect the Mainnet ETH leg.
  3. Record opened. Timeline, loss details, evidence, and press coverage published.

contact [email protected]

© 2026 darkmatter Labs, LLC. This page is a factual record. It will be updated with a stamped changelog entry for any material change.