Key Points
- A threat actor posed as an eth.limo representative to manipulate EasyDNS staff into granting unauthorized account control
- Domain nameservers were modified twice during the early morning hours of April 18, first pointing to Cloudflare, then to Namecheap
- Cryptographic validation through DNSSEC prevented malicious DNS responses from reaching users
- EasyDNS leadership issued a public statement acknowledging their first social engineering compromise since 1997
- The gateway service will transfer to Domainsure, which operates without account recovery features
The Ethereum Name Service gateway eth.limo experienced a domain compromise late Friday evening after a malicious actor successfully manipulated EasyDNS personnel through social engineering tactics.
The hostile party initiated contact with EasyDNS support while impersonating an authorized eth.limo administrator. The account recovery request began at 7:07 p.m. EDT on April 17. Within hours, by 2:23 a.m. EDT on April 18, the perpetrator had redirected the domain’s nameservers toward Cloudflare infrastructure. A second modification occurred at 3:57 a.m. EDT, pointing the nameservers to Namecheap instead.
EasyDNS personnel reinstated proper access credentials to the authorized eth.limo operators at 7:49 a.m. EDT, concluding approximately five hours of unauthorized control.
The eth.limo platform functions as a bridge connecting conventional web browsers to Ethereum Name Service addresses. The service facilitates access to approximately 2 million .eth domains, including the personal website of Ethereum co-founder Vitalik Buterin located at vitalik.eth.limo.
Had the takeover succeeded fully, the malicious actor could have rerouted visitors from any .eth address to fraudulent websites designed to steal credentials and assets. Buterin issued an alert to his community on Friday, recommending complete avoidance of eth.limo links and suggesting direct IPFS access instead.
DNSSEC Cryptographic Validation Prevented User Impact
The hostile actor failed to obtain eth.limo’s DNSSEC cryptographic signing keys throughout the breach. These digital keys are essential for generating authenticated signatures that validate DNS records.
When DNS resolvers evaluated the modified nameserver information, they detected a mismatch with legitimately signed records. Rather than forwarding users to attacker-controlled infrastructure, the resolvers generated error responses that blocked access.
“DNSSEC likely reduced the blast radius of the hijack. We are not aware of any user impact at this time,” the eth.limo team wrote in its post-mortem.
Buterin confirmed on Saturday that the situation was “all resolved now.”
EasyDNS CEO Mark Jeftovic published his own account of the incident, titled “We screwed up and we own it.” He called it the first successful social engineering attack against an EasyDNS client in the company’s 28-year history.
“This would mark the first successful social engineering attack against an easyDNS client in our 28-year history. There have been countless attempts,” Jeftovic said.
Jeftovic clarified that the security incident affected only the eth.limo account and did not extend to other EasyDNS customers.
Migration Plans and Industry Context
The eth.limo domain will undergo a transfer to Domainsure, an EasyDNS-affiliated platform designed specifically for enterprise customers managing high-value digital assets. Domainsure’s architecture eliminates account recovery procedures entirely, removing the vulnerability that enabled this particular attack vector.
Jeftovic stated that EasyDNS continues to examine internal processes to determine precisely how the social engineering tactics bypassed existing safeguards.
This breach follows a concerning trend affecting cryptocurrency platforms. During November 2025, decentralized exchanges Aerodrome and Velodrome experienced DNS hijacking incidents targeting registrar NameSilo, which resulted in DNSSEC removal and user losses exceeding $700,000.
Steakhouse Financial, a stablecoin protocol operator, reported a comparable security incident on March 30 after OVH customer support personnel were manipulated into disabling two-factor authentication protections.
The eth.limo gateway has resumed normal operations under legitimate administrative control.
