- eth.limo was briefly hijacked after an attacker used social engineering to trick registrar EasyDNS into initiating an account recovery.
- EasyDNS said the incident was its first successful social engineering breach in 28 years and accepted responsibility for the compromise.
The registrar, not the protocol, became the weak point.
Ethereum Name Service gateway eth.limo was briefly hijacked late Friday after an attacker impersonated a team member and convinced the registrar, EasyDNS, to initiate an account recovery process, according to post-mortems published by both the project and EasyDNS chief executive Mark Jeftovic.
A registrar recovery flow became the entry point
The timeline was tight, but not trivial. At 7:07 p.m. EDT on April 17, the attacker reportedly contacted EasyDNS while posing as a member of the eth.limo team. That led to the registrar initiating an account recovery flow. Hours later, at 2:23 a.m. EDT on April 18, the attacker changed the domain’s nameservers to Cloudflare, triggering automated downtime alerts that woke the eth.limo team.
The nameservers were switched again at 3:57 a.m. EDT, this time to Namecheap, before EasyDNS restored account access to the legitimate team at 7:49 a.m. EDT.
That sequence matters because the compromise did not begin with a smart contract exploit or a wallet breach. It began with a support process. In crypto, that distinction keeps coming up. The code can be sound, but the surrounding infrastructure, domains, registrars, email flows, support desks, still carries old internet risks.
The potential blast radius was much larger than one website
eth.limo is not a niche domain redirect. It acts as a free, open-source reverse proxy that allows standard browsers to access ENS-linked content stored on IPFS, Arweave or Swarm by appending “.limo” to a .eth name.
Its wildcard DNS record, *.eth.limo, covers roughly 2 million ENS domains. That meant a successful hijack could have redirected traffic for any .eth page accessed through the gateway, including Vitalik Buterin’s blog at vitalik.eth.limo, toward phishing infrastructure.
EasyDNS said it accepts responsibility for what it described as its first successful social engineering breach in 28 years. For ENS users, the incident is another reminder that decentralization often still depends on very centralized pieces of plumbing, and when one of those pieces slips, the consequences can scale fast.
