eth.limo domain hijacked; EasyDNS admits first social engineering attack in 28 years

The eth.limo gateway from ENS to the Web was hit by DNS hijacking in the evening of April 17, and subsequent analysis showed that the attacker impersonated a member of the eth.limo team to successfully trick the domain registrar EasyDNS into executing an account recovery process. EasyDNS CEO Mark Jeftovic publicly admitted that this was the first successful social engineering attack against customers in the company’s 28-year history.

Attack timeline: Account recovery process triggered by deception

According to the post-incident analysis and an EasyDNS official blog post, the timeline of the entire attack is as follows: at 7:07 PM Eastern Time on April 17, the attacker impersonated a member of the eth.limo team and tricked EasyDNS into executing the account recovery process. At 2:23 AM Eastern Time on April 18, the attacker switched the eth.limo domain name servers to Cloudflare, triggering an automatic downtime alert that woke up the eth.limo team; at 3:57 AM, the name servers were switched again to Namecheap; and by 7:49 AM, EasyDNS restored the eth.limo team’s account access permissions.

During the incident, Vitalik Buterin warned users to avoid using all eth.limo links and instead access the content directly via IPFS. He confirmed on Saturday that the issue had been fully resolved.

How DNSSEC became the final line of defense

The attacker attempted to redirect traffic to phishing infrastructure through eth.limo’s wildcard domain (*.eth.limo), with a potential impact scope covering more than 2 million ENS .eth domains, including Vitalik Buterin’s personal blog vitalik.eth.limo.

However, because the attacker never obtained the DNSSEC signing key for eth.limo, when the resolver compared the attacker’s new name server response with the legitimate DS records cached from the parent zone, the trust chain broke. The resolver returned a SERVFAIL error instead of a malicious redirect. “DNSSEC may have reduced the scope of the hijacking incident’s impact. At this time, we have not found any impact on users,” the eth.limo team said in its report.

Systemic trend of social engineering attacks against crypto front ends

This incident is the latest case in a recent series of attacks against crypto front ends at the domain registrar level: in November 2024, the attacker hijacked the NameSilo account and stripped DNSSEC, causing users of the DEX Aerodrome and Velodrome to lose more than $700k; on March 30 of this year, the OVH customer support for Steakhouse Financial was targeted by a social engineering attack that tricked it into disabling account two-factor authentication, briefly bringing the cloned website online; later the same month, the revenue platform Neutrl also suffered a similar incident.

Ironically, eth.limo had previously provided emergency support in the November Aerodrome hijacking event and was widely seen as a top decentralized failover option during DeFi front-end downtime. After the incident was resolved, eth.limo planned to migrate to Domainsure under EasyDNS—this service is for enterprise customers and does not provide any account recovery mechanism, fundamentally eliminating the entry point for social engineering attacks of this kind.

Vitalik has long argued that Ethereum’s reliance on centralized DNS resolution is a “step back in trust,” and has urged developers to guide users in 2026 to a path that accesses IPFS directly.

Frequently asked questions

What is eth.limo, and what role does it play in the Ethereum ecosystem?

eth.limo is a free, open-source reverse proxy that lets users add “.limo” after any .eth domain and access ENS-related content deployed on IPFS, Arweave, or Swarm through a standard browser. Its wildcard DNS records cover roughly 2 million .eth domains registered via ENS, making it one of the most widely used Web2 access bridges in the ENS ecosystem.

How did DNSSEC prevent this attack from causing user losses?

DNSSEC encrypts and digitally signs DNS records, allowing validating resolvers to reject responses that are unsigned or signed incorrectly. Because the attacker never obtained the DNSSEC signing key for eth.limo, their malicious changes to the domain name servers could not pass trust-chain validation. The resolver returned a SERVFAIL error instead of a malicious redirect, effectively stopping a potential large-scale phishing attack.

What warnings does this incident offer for ENS ecosystem and DeFi front-end security?

This incident once again confirms the most fundamental security contradiction for crypto front ends: smart contracts are decentralized, but the Web2 domain layer that users access still relies on centralized domain registrars, and the latter’s customer support processes are a weak link. The design of Domainsure “does not support account recovery” is one of the most direct defensive measures currently in the industry against this type of social engineering attack, but it also means that account holders must ensure secure backup of their private keys.