Key Takeaways
- A sophisticated impersonation scheme convinced EasyDNS support staff to grant unauthorized access to the eth.limo account
- Domain nameservers were switched twice during a five-hour window in the early hours of April 18
- DNSSEC security protocols prevented users from being redirected to malicious sites by invalidating unauthorized DNS changes
- EasyDNS leadership issued a public apology, acknowledging their first social engineering compromise in nearly three decades of operation
- The gateway service is transitioning to Domainsure, an enterprise platform that eliminates account recovery vulnerabilities
A social engineering attack successfully compromised the domain registrar account for eth.limo, an Ethereum Name Service gateway, late Friday evening when cybercriminals deceived EasyDNS personnel.
The perpetrator posed as a legitimate member of the eth.limo operations team, initiating an account recovery request with EasyDNS at 7:07 p.m. EDT on April 17. The breach escalated when, at 2:23 a.m. EDT the following morning, the attacker successfully redirected eth.limo’s nameservers to Cloudflare infrastructure. A second nameserver modification occurred at 3:57 a.m. EDT, this time pointing to Namecheap.
Legitimate control was reestablished when EasyDNS personnel restored proper account access at 7:49 a.m. EDT, concluding approximately five hours of unauthorized control.
The eth.limo service functions as a critical bridge connecting traditional web browsers with Ethereum Name Service infrastructure. The platform provides gateway access to approximately 2 million .eth domains, including high-profile addresses such as Buterin‘s personal blog located at vitalik.eth.limo.
Had the compromise been fully successful, malicious actors could have redirected visitors from any .eth website to fraudulent phishing sites. Recognizing the severity, Buterin immediately advised his social media followers on Friday to avoid all eth.limo URLs and utilize IPFS access methods instead.
DNSSEC Technology Prevented Widespread Damage
The attackers failed to obtain eth.limo’s DNSSEC cryptographic signing keys. This critical security layer meant the compromised nameserver changes lacked valid digital signatures required for authentication.
DNS resolver systems that verified the modified nameserver responses detected discrepancies with legitimate records. Rather than directing traffic to attacker-controlled infrastructure, these resolvers generated error responses for end users.
“DNSSEC likely reduced the blast radius of the hijack. We are not aware of any user impact at this time,” the eth.limo team explained in their incident analysis.
Buterin provided an update on Saturday confirming the incident was “all resolved now.”
Mark Jeftovic, CEO of EasyDNS, released his own detailed incident report with the straightforward title “We screwed up and we own it.” He acknowledged this represented the first time social engineering tactics successfully breached an EasyDNS client account throughout the company’s 28-year operational history.
“This would mark the first successful social engineering attack against an easyDNS client in our 28-year history. There have been countless attempts,” Jeftovic stated.
Jeftovic emphasized that the security incident remained isolated to this single account, with no other EasyDNS customers experiencing unauthorized access.
Future Security Measures
The eth.limo domain will undergo migration to Domainsure, an EasyDNS-affiliated service specifically designed for enterprise clients and high-value digital assets. Domainsure’s architecture completely eliminates account recovery functionality, removing the vulnerability exploited in this incident.
Jeftovic confirmed that EasyDNS continues conducting comprehensive internal investigations to determine the precise methods attackers used to bypass security procedures.
This attack follows an emerging trend of DNS-based compromises targeting cryptocurrency platforms. In November 2025, coordinated DNS hijacking attacks against decentralized exchanges Aerodrome and Velodrome resulted in over $700,000 in user fund losses after attackers compromised registrar NameSilo and disabled DNSSEC protections on those domains.
Steakhouse Financial, a stablecoin protocol, reported a comparable security breach on March 30 when OVH support personnel were socially engineered into disabling two-factor authentication protections on their account.
The eth.limo gateway has returned to full operational status under authorized management control.
