Originally published at https://monstadomains.com/blog/domain-hijacking-attack/
It took no malware. No zero day. No clever smart contract exploit. In April 2026, attackers walked off with roughly 1.2 million dollars in cryptocurrency using little more than forged paperwork and a polite request to a government regulator. This was a domain hijacking attack in its purest form, and it should unsettle anyone who owns a domain worth stealing. The target was CoW Swap, a well known decentralised exchange, and the weapon was the blind trust that registries and registrars place in identity documents.
A Domain Hijacking Attack That Needed No Code
On 14 April 2026, the team behind CoW Swap noticed that their cow.fi domain was resolving in ways it should not have been. Within hours, visitors to the official address were being served a pixel perfect clone built to drain their wallets. The fake frontend stayed live for roughly four and a half hours before control was clawed back.
By then the damage was done. On chain data showed at least 1.2 million dollars gone, including 219 ETH lifted from a single wallet. No CoW Swap server was breached. No code was rewritten. The entire domain hijacking attack played out at the registration layer, the one part of the stack most owners never think about until it is too late.
What makes the timeline so striking is how mundane each step was. There was no alarm, no ransom note, no obvious intrusion to detect. For those four and a half hours the site looked entirely normal to anyone who did not inspect the certificate or the underlying records. A domain hijacking attack does its worst work in plain sight, wearing the victim’s own brand while it empties their users’ wallets.
How Attackers Turned a Regulator Into a Weapon
The mechanics matter, because they are repeatable. This was not a smash and grab against a vulnerable web server. It was a patient abuse of the administrative process that sits behind every domain name on the internet.
The forged identity documents
The attacker impersonated a senior CoW DAO contributor and submitted falsified identification documents to Traficom, the Finnish Communications Regulatory Authority that operates the .fi registry. A domain hijacking attack like this does not begin with a hacker hunched over a terminal. It begins with a paperwork submission convincing enough to pass a human reviewer, who then triggers the official dispute machinery on the attacker’s behalf.
The registrar that went silent
Traficom raised a dispute against Gandi, the registrar holding cow.fi. When Gandi did not respond inside the allotted window, the dispute resolved in the attacker’s favour and control of the domain changed hands. The domain hijacking attack succeeded not because a system was technically broken, but because a human process timed out. A missed email was all it took to reroute a multimillion dollar exchange.
What This Domain Hijacking Attack Reveals About Identity
Here is the uncomfortable lesson buried in this incident. The systems meant to prove who owns a domain are far weaker than the people who run them like to admit. Identity documents are theatre. A scan of a passport or a company letter can be forged, borrowed, or fabricated, and the reviewer on the other end has neither the time nor the tools to tell the difference.
A domain hijacking attack of this kind exposes the central flaw of identity based ownership. When your control over an asset rests on a regulator believing a document, your security is only as strong as that regulator’s worst day. The cow.fi case shows that adding more identity checks does not make a system safer. It simply hands attackers a clearer script to follow.
There is a deeper irony here for anyone who has been told that mandatory identity verification keeps the internet safe. The cow.fi case shows the opposite. The more a system depends on collected documents to decide ownership, the more valuable and forgeable those documents become. A domain hijacking attack does not defeat that model from the outside. It walks straight through the front door the model built.
This is why the privacy community has long argued that proof of identity is a poor substitute for proof of control. A cryptographic key cannot be socially engineered. A submitted PDF can. The domain hijacking attack on CoW Swap is a textbook demonstration of that gap.
Why Registry Lock Was the Missing Defence
The single control that would most likely have stopped this domain hijacking attack is one most owners have never enabled. Registry lock places a manual, out of band hold on a domain at the registry level, so that no transfer or change can proceed without a deliberate, verified release. It turns a silent administrative action into a process that demands human confirmation from the rightful owner.
CoW DAO applied registry lock only after the attack, and notably it had not been available through their setup beforehand. According to reporting from Domain Name Wire, only around 70 percent of the top domains use registry lock at all. That leaves a vast number of high value names defended by nothing more than an unread dispute notice and a registrar’s reaction time.
Registry lock is not a silver bullet, but it is the rare control that defends against exactly the weakness this incident exposed. Because the release requires verified, manual action, a forged document alone cannot move the domain. Pairing it with two factor authentication on the registrar account and DNSSEC closes several of the side doors that a domain hijacking attack typically relies on.
The Wider 2026 Wave of Crypto Frontend Hijacks
The CoW Swap incident is not an outlier. It fits a pattern that has defined 2026, where attackers skip the hardened smart contracts entirely and go after the soft target: the domain that points users to them. Why fight audited code when you can simply own the address bar?
We have seen the same logic play out elsewhere. Earlier coverage of crypto wallet drains showed how seizing a domain lets criminals harvest funds from trusting users at scale. The same is true of state linked DNS hijacking, where the registration and resolution layers, not the application, become the battlefield. A domain hijacking attack is now a preferred opening move precisely because it bypasses everything the defender spent money protecting.
The economics explain the shift. Auditing and exploiting a modern smart contract can take weeks of specialised work, while convincing a tired administrator to approve a transfer can take an afternoon. From the attacker’s perspective, a domain hijacking attack offers a better return on effort than almost any technical exploit. As long as registration systems lean on human judgement and forgeable documents, that calculus will not change.
Digital rights groups have warned about this exposure for years. The Electronic Frontier Foundation has repeatedly stressed that centralised choke points, including domain control, are where pressure and abuse concentrate. The cow.fi domain hijacking attack proves that warning was not abstract.
How Domain Owners Should Respond to a Domain Hijacking Attack
The takeaway is not to panic, but to treat the registration layer as critical infrastructure. Enable registry lock on any domain you cannot afford to lose, and confirm your registrar actually offers it. Lock the door before someone tries the handle.
Audit your contact records next. The dispute email that decided the cow.fi domain hijacking attack went unanswered, so make sure the address on file is monitored daily and not a forgotten inbox. Reduce the personal data that attackers can mine to impersonate you by keeping strong WHOIS privacy protection active, since exposed registrant details are raw material for social engineering. A privacy first registrar such as MonstaDomains that does not hoard identity documents in the first place gives attackers far less to forge.
Set up independent monitoring as well. Free tools can alert you the moment your domain’s nameservers or registrar records change, which would have flagged the cow.fi takeover long before four and a half hours had passed. Speed is everything once a domain hijacking attack is underway, and the owner who notices in minutes keeps options the owner who notices in hours has already lost.
Finally, separate your domain registrar from your DNS provider where you can, and review who holds the keys. A domain hijacking attack thrives on single points of failure, so removing them is the most durable defence you have.
The Bottom Line
The cow.fi heist is a warning written in stolen ETH. A domain hijacking attack does not need to break your code when it can break your paperwork, and the identity checks meant to protect you are the very mechanism attackers exploit. Registry lock, monitored contacts, and minimal exposed data are not optional extras. They are the difference between owning your name and watching someone else wear it.
If you want a registrar built around control rather than collected identity, MonstaDomains takes anonymous domain registration seriously and keeps your paperwork out of the attack surface entirely.
Top comments (0)