EasyDNS has acknowledged that a successful social engineering attack at its support desk led to the temporary hijacking of the Ethereum Name Service (ENS) gateway domain eth.limo, briefly disrupting access to roughly two million .eth domains. The registrar said this was the first incident of its kind in the company’s 28-year history.
How the attack unfolded
According to a post-incident report from the eth.limo team and a blog post by EasyDNS CEO Mark Jeftovic, the attack started on April 17 at 7:07 p.m. Eastern Time.
An individual impersonating an eth.limo team member contacted EasyDNS and convinced staff to begin an account recovery process. With that foothold, the attacker was able to change the domain’s DNS settings at the registrar level.
Key timeline details include:
- April 18, 2:23 a.m. ET – The attacker redirected eth.limo’s domain name servers to Cloudflare, triggering downtime alerts.
- April 18, 3:57 a.m. ET – The name servers were again changed, this time pointing to Namecheap.
- April 18, 7:49 a.m. ET – EasyDNS restored access to the legitimate eth.limo account owners and reversed the changes.
The incident exploited human trust rather than a technical vulnerability, demonstrating how social engineering can bypass existing security controls at centralized infrastructure providers.
What eth.limo does and who was affected
Eth.limo is an open-source reverse proxy that lets users access decentralized content linked to .eth names by appending “.limo” in a regular web browser (for example, example.eth.limo). It acts as a bridge between traditional DNS and content hosted on decentralized storage systems such as IPFS, Arweave, or Swarm.
EasyDNS data shows that the wildcard DNS record *.eth.limo covers around two million ENS-registered .eth domains. The gateway reportedly handles up to 1.5 million requests per day.
When the hijack occurred, the attacker briefly controlled the main access point used by many people to reach .eth websites via a normal browser, creating a temporary outage and risk of malicious redirection.
Impact limited by DNSSEC and quick response
The attack did not compromise the Ethereum blockchain or ENS smart contracts. Those systems operated normally throughout the event, and ownership records for .eth domains were unaffected.
Damage was constrained for two main reasons:
- DNS Security Extensions (DNSSEC) were enabled on the eth.limo domain. This meant many browsers detected the mismatch and returned errors instead of loading the attacker’s servers.
- The eth.limo team and broader community responded quickly to alerts about DNS changes and downtime.
Ethereum co-founder Vitalik Buterin publicly warned users on social media to avoid eth.limo-related pages until security was fully restored. He advised using direct IPFS links as a safer alternative during the incident, helping reduce potential exposure.
EasyDNS response and planned changes
EasyDNS has publicly taken responsibility for the breach, emphasizing that the failure occurred at the support and account recovery level, not from a technical exploit of their systems.
The company said it plans to:
- Move eth.limo to a higher-security platform that does not allow standard account recovery, removing the pathway used in this attack.
- Tighten internal procedures around identity verification and recovery requests, particularly for high-risk domains.
The episode highlights that even long-established registrars with strong track records can be vulnerable to targeted social engineering.
Lessons for users and service providers
The eth.limo incident underscores several key points for those interacting with services that bridge Web2 infrastructure and decentralized networks:
- Avoid single points of failure: Relying on one gateway (such as a single ENS-to-HTTP bridge) concentrates risk. Alternative access paths include:
- Browser extensions that support native ENS resolution
- Direct IPFS or other decentralized storage links
- Multiple independent gateways where possible
- Check security features: DNSSEC and similar protections can significantly reduce the impact of domain hijacks by causing browsers and resolvers to fail safely rather than connect to fraudulent endpoints.
- Monitor official channels: During security events, timely information usually comes from official project accounts, documentation sites, or verified developers. Following these channels helps users react quickly to warnings and temporary workarounds.
As EasyDNS and the eth.limo team implement higher-security measures, the case is likely to be studied as a reminder that human-targeted attacks remain a critical risk even for technically robust, long-running internet infrastructure providers.
Concerned about domain hijacks and social engineering? Learn how to safeguard your assets with our guide on crypto safety standards.
Disclaimer: The content on this page is provided for general informational purposes only and does not represent the views or financial advice of Toobit. We make no guarantees regarding the accuracy or completeness of this information and shall not be held liable for any errors, omissions, or outcomes resulting from its use. Investing in digital assets involves risk; users should independently evaluate their financial situation and the risks involved. For further details, please consult our Terms of Service and Risk Disclosure.
