Ethereum co-founder Vitalik Buterin has warned that the DNS registrar for eth.limo has been compromised and called on users to stop visiting any eth.limo-related webpages until further notice.
In a statement posted on his official social media account on April 18, Buterin said the issue affects domains such as vitalik.eth.limo, which are widely used to access Ethereum Name Service (ENS) sites. He recommended using IPFS links instead, at least until there is confirmation that eth.limo operations have safely resumed.
Security risk and potential impact
The compromise of the eth.limo DNS registrar means traffic to eth.limo-based domains can be redirected away from legitimate pages to malicious ones, creating a high risk of phishing and wallet-draining attacks.
Because eth.limo functions as a gateway that converts ENS .eth names into conventional web links, the breach could impact anyone using a regular browser to access ENS-hosted content. During the incident window, users attempting to reach .eth domains through eth.limo may have been silently sent to fraudulent websites designed to steal digital assets or capture sensitive data.
At the time of writing, access to eth.limo remained restricted, with system checks and recovery work still under way. Buterin said a response from the DNS service provider was still pending, and no timeline has been given for full restoration of service.
How the eth.limo gateway works
Eth.limo is a key piece of infrastructure for the ENS ecosystem. It acts as a bridge between decentralized identifiers and the traditional web by:
- resolving ENS names (such as vitalik.eth)
- mapping them to DNS records
- serving associated web content via standard HTTPS links (such as vitalik.eth.limo)
A compromise at the DNS registrar level allows an attacker to change these records and silently reroute users, without altering the actual ENS data on-chain. This makes the attack difficult for users to detect in real time.
DNS-level attacks on the rise
The eth.limo incident fits into a broader trend of attacks targeting off-chain infrastructure that blockchain protocols depend on, rather than the smart contracts themselves.
In a notable earlier case, CoW Swap suffered a severe DNS hijacking incident on April 14, 2026. Attackers gained control over its domain at the registrar level and redirected traffic to a convincing clone of the official interface.
On-chain data from that attack showed:
- at least $1 million in user assets stolen within the first three hours
- a single user loss of 219 ETH
- total estimated user losses of around $1.2 million
The attackers reportedly used social engineering to compromise the domain registration process, then altered DNS records to point to a counterfeit front end that prompted users to sign malicious transactions.
The CoW Swap team detected abnormal activity within 19 minutes and migrated to a new domain over roughly 26 hours, but could not prevent substantial losses.
Wider trend in April 2026
The first half of April 2026 has been particularly damaging for the digital asset sector. More than $450 million has been lost across 45 different protocols in a mix of exploits and attacks.
While losses from direct smart contract exploits have been declining as on-chain security practices improve, threat actors are increasingly pivoting to off-chain weaknesses, including:
- DNS hijacking
- social engineering of registrars and service providers
- compromises of interfaces, front ends, and infrastructure tools
The eth.limo breach underscores how attacks on web infrastructure can undermine trust in decentralized systems even when the underlying blockchain logic remains intact.
Recommended steps for users
With the eth.limo situation still unresolved, users are being urged to adopt a cautious stance:
- avoid visiting any eth.limo-related URLs until an official all-clear is issued by the gateway’s operators
- use direct IPFS links or other verified access methods to reach ENS-hosted content where possible
- revoke recent token approvals made through interfaces that might have relied on eth.limo, using reputable approval management tools
- closely follow official communication channels from eth.limo, ENS, and key ecosystem teams for updates and a full post-incident report
A detailed post-mortem, once released, is expected to outline the exact attack vector at the DNS level and the long-term mitigation measures to reduce the risk of similar incidents in the future.
Concerned about Ethereum security after this DNS compromise? Learn how to protect your crypto identity effectively today.
Disclaimer: The content on this page is provided for general informational purposes only and does not represent the views or financial advice of Toobit. We make no guarantees regarding the accuracy or completeness of this information and shall not be held liable for any errors, omissions, or outcomes resulting from its use. Investing in digital assets involves risk; users should independently evaluate their financial situation and the risks involved. For further details, please consult our Terms of Service and Risk Disclosure.
