A social engineering attack on domain registrar EasyDNS briefly handed an unknown attacker full control of eth.limo, the Ethereum Name Service gateway serving roughly two million .eth domains. The attacker was stopped from redirecting users to phishing sites by a single cryptographic safeguard, one that most victims of similar attacks did not have in place.
How the attack unfolded
The attack began on the evening of Friday, April 17, 2026. According to a post-mortem published by eth.limo the following day, the attacker impersonated a member of the eth.limo development team and initiated an account recovery request with EasyDNS, the project’s domain registrar. The request was approved. By 2:23 a.m. EDT on April 18, eth.limo’s nameservers had been redirected to Cloudflare. Less than two hours later, the attacker switched them again, this time to Namecheap. Automated downtime alerts woke the eth.limo team. EasyDNS restored account access by 7:49 a.m. EDT after the breach was confirmed.
Eth.limo functions as an open-source reverse proxy that translates Ethereum Name Service addresses into browser-accessible HTTPS URLs, giving users a Web2 gateway into decentralized content hosted on IPFS, Arweave, and Swarm. Its wildcard DNS record covers all *.eth.limo subdomains, including Ethereum co-founder Vitalik Buterin’s personal blog at vitalik.eth.limo. A successful, unrestricted hijack of that wildcard would have allowed the attacker to redirect any .eth page toward phishing infrastructure or malware injection.
DNSSEC blocked the worst-case outcome
What prevented mass user exposure was DNSSEC, Domain Name System Security Extensions. The standard cryptographically signs DNS records so that validating resolvers can reject unsigned or incorrectly signed responses. Because the attacker never obtained eth.limo’s signing keys, every nameserver change they made was flagged as invalid. Users saw connection errors instead of phishing pages. “DNSSEC-aware resolvers, which most are these days, began dropping queries,” EasyDNS CEO Mark Jeftovic said in his post-mortem. Eth.limo confirmed it is not currently aware of any user impact from the incident.
Your completely free resource hub designed to boost your knowledge of cryptocurrencies
EasyDNS accepts full responsibility
Jeftovic published a blog post on Saturday titled “We screwed up and we own it.” He described the attack as “highly sophisticated” and confirmed it was the first successful social engineering breach against an EasyDNS client in the company’s 28-year operating history, across countless prior attempts.
He declined to detail the exact method used, citing an ongoing internal review. As a direct response to the breach, Jeftovic announced that eth.limo would be migrated to Domainsure, an EasyDNS-affiliated platform built for enterprise and high-value fintech clients that has no account recovery mechanism, eliminating the very entry point exploited on Friday. “On behalf of everyone here, I apologize to the eth.limo team and the wider Ethereum community,” he wrote.
Vitalik warns users, then points to the structural problem
Vitalik Buterin was among the first to alert the public. On X, he told followers: “The kind people at @eth_limo have warned me that there has been an attack on their DNS registrar. So please do not visit vitalik.eth.limo or other eth.limo pages until they confirm that things are back to normal.” He shared a direct IPFS link to his blog and confirmed the situation was resolved by Saturday. But Buterin’s response extended beyond the immediate incident, in January 2026, he had declared 2026 the year developers should push users toward direct IPFS access, away from centralized DNS entirely. Friday’s attack gave that argument fresh weight.
Part of a wider wave of DNS attacks on crypto front-ends
The eth.limo hijack is the latest in a sharp run of registrar-level attacks targeting crypto projects in 2026. Just four days earlier, on April 14, decentralized exchange aggregator CoW Swap had its frontend domain redirected to a malicious phishing site for roughly 90 minutes, with estimated losses of around $500,000.
In March, DeFi advisory platform Steakhouse Financial and yield platform Neutrl both lost domain control through social engineering attacks on their respective registrar support teams. In November 2025, decentralized exchanges Aerodrome and Velodrome were compromised through a NameSilo registrar breach that stripped DNSSEC from their domains, resulting in over $700,000 in user losses. Security firm Hacken reported that Web3 projects lost $482 million to hacks and scams in the first quarter of 2026, with phishing and social engineering accounting for the bulk of incidents.
What makes this pattern particularly frustrating for the Ethereum community is the technical irony it exposes. The smart contracts, ENS records, and IPFS-hosted content targeted in each of these attacks remained fully intact and decentralized throughout. The blockchain layer was never compromised. The front-end layer, the Web2-facing domain that connects users to those decentralized systems, was. As long as centralized registrars offer account recovery and human support staff can be manipulated, that gap will remain open regardless of how robust the underlying protocol is.
