On the evening of Friday, April 17, eth.limo—a widely used gateway for Ethereum Name Service (ENS) users—suffered an unexpected social engineering attack. The incident unfolded when the attacker bypassed verification procedures, seized authority at registration operator EasyDNS, and caused a temporary disruption of eth.limo’s services.
Swift response and DNS rerouting
During the attack, a perpetrator impersonated a member of the eth.limo development team and initiated an account recovery request at EasyDNS. Reviewing the timeline, the eth.limo nameservers were first rerouted to Cloudflare and shortly after to Namecheap. Team members jumped into action after receiving alerts early the next morning. Ultimately, EasyDNS returned account control to the project after confirming the breach.
Eth.limo offers an open-source reverse proxy service covering around 2 million .eth domains. It allows users to directly access content hosted on distributed storage networks like IPFS, Arweave, or Swarm through their browsers. During the incident, attackers targeted eth.limo’s wildcard DNS record, putting nearly two million .eth addresses at serious risk.
“On behalf of everyone at eth.limo and the wider Ethereum community, I deeply apologize. ENS has had a special place for us, as EasyDNS was the first registrar to link web2 domain names to ENS, and we’ve been active in this space since 2017.”
DNSSEC’s crucial role in limiting damage
The breach could have caused much greater harm, but DNS Security Extensions (DNSSEC) prevented it. DNSSEC digitally signs DNS records, automatically blocking records that fail verification or are invalid.
Since the attacker could not access the gateway’s signing keys, the DNSSEC validation chain was broken. As a result, service providers recognized the rouge nameserver responses as invalid, preventing users from being directed to unsafe sites.
The eth.limo team confirmed that DNSSEC substantially minimized the attack’s impact, reporting no user losses so far. Ethereum co-founder Vitalik Buterin advised users to avoid eth.limo links during the service disruption and assured the next day that full control had been restored.
EasyDNS statement and new security measures
Mark Jeftovic, the CEO of EasyDNS, stated in a blog post that this was the first successful social engineering breach in the company’s 28-year history, affecting only eth.limo. Following the incident, it was decided to migrate eth.limo to Domainsure, a specialized platform with no account recovery feature. The company has not disclosed the exact technical methods used by the attacker.
Similar incidents have become increasingly frequent. In November, decentralized exchanges Aerodrome and Velodrome were both targeted by DNS hijacking attacks. In those cases, disabling DNSSEC on the affected domains resulted in financial losses for users. In March, Steakhouse Financial and Neutrl also experienced security breaches due to social engineering tactics.
Ironically, during the Aerodrome attack in November, eth.limo played a crucial role by offering DeFi platforms alternative access. ENS DAO later highlighted eth.limo as an indispensable gateway whenever DeFi interfaces became inaccessible.
Vitalik Buterin has long warned of the risks inherent in the Ethereum ecosystem’s reliance on centralized domain name resolution. He reiterated the need for developers to promote direct routing through decentralized networks such as IPFS.
After the incident, eth.limo was fully brought back under its original team’s control and the platform was reopened to users.
