Key Takeaways
- A sophisticated social engineering scheme enabled hackers to deceive EasyDNS staff and gain unauthorized control of eth.limo’s domain account
- Between 2am and 4am EDT on April 18, malicious actors modified the domain’s nameservers on two separate occasions before legitimate access was recovered
- DNS Security Extensions (DNSSEC) successfully prevented actual harm by invalidating the hijacker’s unauthenticated DNS records
- In a public statement, EasyDNS’s CEO acknowledged the breach as the first successful social engineering compromise in the company’s nearly three-decade history
- The eth.limo platform is transitioning to Domainsure, an enterprise-grade service that eliminates account recovery features to prevent similar exploits
On Friday evening, the Ethereum Name Service gateway eth.limo fell victim to a domain hijacking incident after malicious actors successfully executed a social engineering operation against EasyDNS, the platform’s domain registrar.
The perpetrator assumed the identity of a legitimate eth.limo team representative and initiated what appeared to be a standard account recovery request with EasyDNS on April 17 at 7:07 p.m. EDT. Within hours, at 2:23 a.m. EDT the following day, the malicious party successfully redirected eth.limo’s nameservers to Cloudflare’s infrastructure. A second modification occurred at 3:57 a.m. EDT when the nameservers were switched to Namecheap.
The authorized team regained control of their account at 7:49 a.m. EDT on April 18, bringing the approximately five-hour compromise window to a close.
The eth.limo service functions as a critical bridge connecting conventional web browsers to Ethereum Name Service addresses. The platform supports approximately 2 million .eth addresses, including the personal website of Ethereum co-creator Vitalik Buterin, accessible at vitalik.eth.limo.
Had the hijacking fully succeeded, attackers could have systematically redirected visitors from any .eth website to fraudulent phishing destinations. On Friday, Buterin cautioned his social media audience to temporarily avoid all eth.limo links and recommended accessing content through IPFS as an alternative.
DNSSEC’s Critical Role in Mitigating the Breach
The attacker failed to obtain eth.limo’s DNSSEC cryptographic signing keys. These keys are essential for generating authenticated signatures that validate DNS records.
When DNS resolvers attempted to verify the altered nameserver information, they detected a mismatch with the legitimate cryptographic signatures. Rather than routing traffic to the attacker’s malicious infrastructure, the resolvers generated error responses.
“DNSSEC likely reduced the blast radius of the hijack. We are not aware of any user impact at this time,” the eth.limo team stated in their incident analysis.
Buterin provided an update on Saturday confirming that the issue was “all resolved now.”
Mark Jeftovic, CEO of EasyDNS, released his own detailed incident report under the headline “We screwed up and we own it.” He characterized the breach as unprecedented in EasyDNS’s operational history spanning 28 years.
“This would mark the first successful social engineering attack against an easyDNS client in our 28-year history. There have been countless attempts,” Jeftovic acknowledged.
Jeftovic emphasized that the security incident was isolated to eth.limo, with no other EasyDNS customers experiencing compromise.
Future Security Measures
The eth.limo domain will be transferred to Domainsure, an EasyDNS-affiliated platform specifically designed for enterprise clients and high-value digital assets. Domainsure’s architecture deliberately excludes account recovery functionality, effectively eliminating the vulnerability exploited in this incident.
Jeftovic disclosed that EasyDNS continues to conduct a comprehensive internal review to determine the precise methodology employed by the attackers.
This attack represents another entry in an escalating series of similar compromises. In November 2025, DNS hijacking incidents targeting decentralized exchanges Aerodrome and Velodrome resulted in losses exceeding $700,000 after attackers compromised registrar NameSilo and stripped DNSSEC protections from those domains.
Steakhouse Financial, a stablecoin protocol provider, revealed a comparable security breach on March 30, following the manipulation of OVH support personnel who were deceived into disabling two-factor authentication on the company’s account.
The eth.limo service has been fully restored and remains under legitimate operational control.
Get 3 Free Stock Ebooks
Discover top-performing stocks in AI, Crypto, and Technology with expert analysis.
- Top 10 AI Stocks - Leading AI companies
- Top 10 Crypto Stocks - Blockchain leaders
- Top 10 Tech Stocks - Tech giants
