Cos(余弦)😶‍🌫️
Cos(余弦)😶‍🌫️|4月 17, 2026 01:54
Checked it out, and the post-mortem details of the CoW Swap domain hijacking this time are pretty interesting. It’s a classic example of a supply chain attack. In short: the attacker impersonated a senior contributor of CoW DAO and submitted forged documents to the .fi registry Traficom, triggering a dispute process. This led Gandi (the actual registrar for .fi domains via AWS Route 53) to change the domain owner’s email and transfer the domain, resulting in the DNS being hijacked and redirected to the attacker’s server. They then implanted phishing scripts, causing affected users to lose ~$1.2M. Here’s the supply chain breakdown: - Traficom → Official registry for .fi top-level domains - Gandi SAS → Actual registrar (used as a “proxy” by AWS) - AWS Route 53 → CoW’s unified entry point + DNS hosting provider CoW DAO only interacted with AWS Route 53, but the attacker didn’t directly target AWS Route 53. Instead, they used social engineering to exploit supply chain links at Traficom and Gandi. The attacker’s forged documents, company registration records, AWS support chat logs, and financial documents were all fake, created using AI-generated forgery techniques.
Share To

HotFlash

APP

X

Telegram

Facebook

Reddit

CopyLink

Hot Reads