A $1.2 million drain on April 14 — executed entirely at the registrar level, without touching a single smart contract — illustrates that the crypto stack's weakest link is often decades older than the blockchain.
| Time (UTC) | Event |
|---|---|
| 14:37 | cowswap.fi registrar compromised via SIM swap |
| 14:51 | Nameservers changed to attacker-controlled tenant |
| 15:12 | Malicious lookalike frontend goes live |
| 15:48 | First victim loses funds through spoofed approval |
| 16:55 | Registrar freeze applied; nameservers restored |
| 17:30 | Warning posted; loss estimated at ~$1.2M |
The compromise began with a SIM-swap on a team member who held the administrative email for the registrar account. Once attackers controlled that email, they reset the password, changed nameservers, and pointed the domain at a malicious Cloudflare tenant hosting a pixel-perfect clone of CoW Swap's real frontend. Users saw the legitimate URL, the legitimate HTTPS certificate, and a UI matching CoW Swap's real design. The only difference was the smart-contract address behind the approve() calls.
Tracked DNS-based attacks on crypto frontends have risen every year since 2021, reaching 29 incidents in 2025 and 11 in the first four months of 2026. High-profile targets include Curve Finance (twice), Balancer, and several major NFT marketplace frontends. The crypto stack will depend on DNS for as long as users load protocol interfaces through web browsers.
Several protocols have begun exploring on-chain frontend commitments as a structural answer. Uniswap, Aave and Lido all publish a content hash for their canonical production frontend to a smart contract; wallets that support the extension can check the hash of the served page before allowing approvals.
The attacks described in this article exploit gaps that pre-signature transaction monitoring is built to close. Web3Firewall evaluates 100+ risk signals before a transaction reaches the blockchain — enforcing policy controls at the only moment intervention is actually possible.
Real crypto news, market data, and analysis — free to your inbox every weekday at 7am.
No spam. Unsubscribe anytime. Sent to admin@coinhubtoday.com
The definitive source for cryptocurrency news, market data, press releases, and product reviews — trusted by professionals worldwide.
CoinHub Today is an independent media organisation and does not provide investment, financial, or legal advice. All content is for educational purposes only. Cryptocurrency investments involve substantial risk. Past performance is not indicative of future results. Always consult a qualified financial adviser before investing.