How Social Engineering Attack on eth.limo Exposed Crypto’s Domain Security Flaw

Table of Contents A domain hijacking incident targeted Ethereum Name Service gateway eth.limo late Friday evening after an adversary successfully manipulated EasyDNS personnel through social engineering tactics. 🚨UPDATE: @eth_limo confirms a DNS hijack after attackers compromised its EasyDNS account via social engineering. Malicious nameserver changes briefly redirected traffic before being reversed. DNSSEC helped contain the attack — no user impact reported. pic.twitter.com/I6ebk0bL5A — The Crypto Times (@CryptoTimes_io) April 20, 2026 The malicious actor initiated a fraudulent account recovery procedure with EasyDNS at 7:07 p.m. Eastern time on April 17, impersonating legitimate eth.limo personnel. By 2:23 a.m. Eastern on April 18, the attacker had successfully modified eth.limo’s nameserver configuration to point toward Cloudflare infrastructure. A second nameserver modification redirected traffic to Namecheap at 3:57 a.m. Eastern. Legitimate account control was restored to the authentic eth.limo operators at 7:49 a.m. Eastern, concluding approximately five hours of unauthorized access. https://t.co/of1ktfaPss — ETH.LIMO 🦇🔊 (@eth_limo) April 18, 2026 The eth.limo platform functions as a critical bridge connecting conventional web browsers to Ethereum Name Service addresses. The service supports approximately 2 million .eth domains, including the personal website of Ethereum co-creator Vitalik Buterin at vitalik.eth.limo. Had the hijack succeeded completely, the perpetrator could have redirected visitors across any .eth domain to malicious phishing infrastructure. Buterin issued warnings Friday advising his audience to circumvent all eth.limo URLs temporarily and access content through IPFS instead. The malicious actor failed to obtain eth.limo’s DNSSEC cryptographic signing keys. This absence meant the attacker could not generate authentically signed DNS responses. DNS resolver systems validating the modified nameserver data detected discrepancies with legitimate cryptographic records. Rather than routing visitors to attacker-controlled destinations, resolvers generated failure notifications. “DNSSEC likely reduced the blast radius of the hijack. We are not aware of any user impact at this time,” the eth.limo team stated in their incident analysis. Buterin verified on Saturday that the crisis was “all resolved now.” Mark Jeftovic, CEO of EasyDNS, released his personal statement about the compromise, titled “We screwed up and we own it.” He characterized it as the inaugural successful social engineering penetration against any EasyDNS customer throughout the company’s nearly three-decade operational history. “This would mark the first successful social engineering attack against an easyDNS client in our 28-year history. There have been countless attempts,” Jeftovic acknowledged. Jeftovic emphasized that no additional EasyDNS customers experienced compromise during this incident. The eth.limo domain will migrate to Domainsure, an EasyDNS-affiliated platform designed specifically for enterprise and high-security clients. Domainsure’s architecture deliberately excludes account recovery functionality, eliminating the vulnerability vector exploited in this attack. Jeftovic indicated that EasyDNS continues investigating the precise methodology the attacker employed during the breach. This incident represents another data point in an escalating trend. November 2025 witnessed DNS hijacks targeting decentralized exchanges Aerodrome and Velodrome, resulting in over $700,000 stolen from users after attackers compromised registrar NameSilo and stripped DNSSEC protections from those domains. Stablecoin infrastructure provider Steakhouse Financial revealed a comparable breach on March 30, following successful manipulation of OVH support personnel who removed two-factor authentication safeguards from the account. The eth.limo gateway has resumed normal operations under authorized team management.