CoW DAO says someone tricked the domain registry, leading to domain hijack.
The cryptocurrency platform CoW Swap said a domain name hijack led to a phishing attack this week.
In a post mortem on the event, the group said that someone tricked the .fi domain registry, Traficom, into transferring the domain. .Fi is the country code for Finland.
Cow.fi was registered through Amazon Route 53, which in turn used Gandi to register the domain. According to the CoW DAO:
An attacker socially engineered the .fi domain registration system. Impersonating a senior contributor related to CoW DAO, they submitted falsified identification documents to Traficom (the Finnish Communications Regulatory Authority, which operates the .fi TLD registry), which led to a dispute process being raised against the registrar.
According to the DAO, Gandi did not respond to the dispute, which led to the attacker gaining access to the domain.
Now that the attack has been resolved, CoW has added .fi’s registry lock to its domain. It said using registry lock was not possible through Amazon Route 53 before the attack.
Any business with an important domain name should use a registry lock service, which creates manual authentication processes before a domain can be changed. That said, only 70% of top domains used registry lock, according to a DNW analysis in October 2025.
It’s a bit disturbing that the registry itself was tricked, raising concerns about whether that could happen with its registry lock service, too.
Crypto projects are susceptible to attack, and all crypto platforms should use a top level domain and registrar that offers registry lock.
Leave a Comment