The Ethereum Name Service gateway eth.limo said its domain hijack on Friday stemmed from a social engineering attack targeting its DNS provider, EasyDNS.
In a post-mortem released Saturday, eth.limo explained that an attacker impersonated a team member to trigger an account recovery request with EasyDNS, gaining access to the account and modifying domain settings.
“The NS records were changed and directed to Cloudflare… Once we realized a DNS hijack had occurred, we immediately alerted the community as well as Vitalik Buterin and others, and began working with EasyDNS to respond,” the team said.
Eth.limo functions as a Web2 bridge, enabling access to roughly 2 million decentralized websites using .eth domains. A compromise of the service could allow attackers to redirect users to malicious destinations. Buterin had earlier warned users to avoid his blog until the issue was resolved.
Mark Jeftovic, CEO of EasyDNS, accepted responsibility in a separate report, stating: “We screwed up and we own it.”
“This would mark the first successful social engineering attack against an easyDNS client in our 28-year history. There have been countless attempts.”
Both companies said that Domain Name System Security Extensions played a key role in limiting the impact of the attack.
Because the attacker couldn’t generate valid cryptographic signatures, DNS resolvers rejected the forged records, meaning users encountered error messages instead of being redirected to malicious sites.
“DNSSEC was enabled on the domain when the attackers tried to switch the nameservers, likely to carry out phishing or malware injection,” said Mark Jeftovic. “DNSSEC-aware resolvers — which most are today — began dropping those queries.”
In its post-mortem, eth.limo said the attacker didn’t have access to the domain’s signing keys, preventing them from bypassing DNSSEC protections and likely “reducing the blast radius of the hijack.” The team added that it is not aware of any user impact so far but will provide updates if that changes.
Meanwhile, EasyDNS has begun implementing changes following the incident. CEO Mark Jeftovic described the social engineering attack as “highly sophisticated” and said the company is continuing its internal review to determine exactly how the breach occurred while rolling out measures to prevent a recurrence.
Mark Jeftovic said eth.limo will be migrated to Domainsure, a platform designed for high-security use cases. He noted that Domainsure does not support account recovery mechanisms, reducing the risk of similar social engineering attacks.
“On behalf of everyone here, I apologize to the eth.limo team and the wider Ethereum Name Service community,” Jeftovic added, highlighting EasyDNS’s long-standing involvement with ENS since 2017.
The eth.limo breach is the latest in a string of domain hijacks targeting crypto projects. Just days earlier, CoW Swap lost control of its website after an unknown attacker took over its domain.
Similarly, Steakhouse Financial revealed in late March that it had also lost control of its domain to an attacker.
