How Did the eth.limo Domain Hijack Occur?
Ethereum Name Service gateway eth.limo said a recent domain hijack was the result of a social engineering attack targeting its domain provider, EasyDNS. The incident allowed an attacker to gain access to the eth.limo account and modify domain settings after impersonating a team member during an account recovery process.
According to a postmortem published by eth.limo, the attacker successfully initiated the recovery request with EasyDNS, which led to unauthorized changes to nameserver records. These changes redirected DNS traffic, creating the potential for malicious activity such as phishing or malware distribution.
“The NS records were changed and directed to Cloudflare… Once we understood that a DNS hijack had taken place, we immediately notified the community as well as Vitalik Buterin and others. We then began contacting EasyDNS in an attempt to respond to the incident,” the company said.
The platform acts as a Web2 bridge for the Ethereum Name Service, providing access to roughly 2 million .eth domains. A successful compromise could have exposed users to fraudulent websites, though no confirmed user impact has been reported.
What Limited the Impact of the Attack?
Both eth.limo and EasyDNS pointed to DNSSEC as a critical safeguard that prevented broader damage. Because the attacker did not have access to the cryptographic signing keys, they were unable to produce valid DNS responses.
As a result, DNS resolvers rejected the forged records, causing users to encounter errors instead of being redirected to malicious destinations. This reduced the potential scope of the attack despite the initial breach.
“DNSSEC was enabled for their domain when the attackers attempted to flip their nameservers, presumably to effect some manner of phishing or malware injection attack, DNSSEC-aware resolvers, which most are these days, began dropping queries,” said EasyDNS CEO Mark Jeftovic.
eth.limo noted that the absence of signing keys likely “reduced the blast radius of the hijack,” adding that it is not aware of any user impact at this stage.
Investor Takeaway
What Responsibility Did EasyDNS Acknowledge?
EasyDNS CEO Mark Jeftovic publicly accepted responsibility for the breach, describing it as the first successful social engineering attack against one of its clients.
“We screwed up and we own it,” Jeftovic said. “This would mark the first successful social engineering attack against an easyDNS client in our 28-year history. There have been countless attempts.”
The company described the attack as highly sophisticated and said it is continuing its internal review. In response, EasyDNS has begun implementing changes to reduce the likelihood of similar incidents.
Among the measures, eth.limo will be migrated to Domainsure, a service that removes account recovery mechanisms entirely, eliminating one of the primary vectors used in the attack.
Investor Takeaway
Why Are Domain Attacks Increasing in Crypto?
The eth.limo incident adds to a growing pattern of domain hijacks targeting crypto-related platforms. In recent days, decentralized exchange aggregator CoW Swap and advisory firm Steakhouse Financial both reported losing control of their domains to attackers.
These incidents highlight a recurring issue: while blockchain systems themselves may be secure, the surrounding infrastructure—DNS providers, hosting services, and account management systems—can introduce vulnerabilities.
For users, this creates a mismatch between perceived and actual security. Access points such as web gateways remain exposed to traditional attack vectors, even when underlying assets are secured onchain.