How Social Engineering Attack on eth.limo Exposed Crypto’s Domain Security Flaw

Key Takeaways

• A threat actor successfully deceived EasyDNS support staff by posing as an eth.limo team representative to gain unauthorized account control
• Domain nameservers were switched twice during a five-hour window overnight on April 18, between 2am and 4am EDT
• DNSSEC cryptographic validation prevented the hijack from compromising user traffic by rejecting illegitimate DNS records
• Mark Jeftovic, EasyDNS CEO, issued a public mea culpa, acknowledging the registrar’s first successful social engineering compromise since 1997
• The eth.limo platform is transitioning to Domainsure, which eliminates account recovery pathways to prevent similar incidents

A domain hijacking incident targeted Ethereum Name Service gateway eth.limo late Friday evening after an adversary successfully manipulated EasyDNS personnel through social engineering tactics.

The malicious actor initiated a fraudulent account recovery procedure with EasyDNS at 7:07 p.m. Eastern time on April 17, impersonating legitimate eth.limo personnel. By 2:23 a.m. Eastern on April 18, the attacker had successfully modified eth.limo’s nameserver configuration to point toward Cloudflare infrastructure. A second nameserver modification redirected traffic to Namecheap at 3:57 a.m. Eastern.

Legitimate account control was restored to the authentic eth.limo operators at 7:49 a.m. Eastern, concluding approximately five hours of unauthorized access.

The eth.limo platform functions as a critical bridge connecting conventional web browsers to Ethereum Name Service addresses. The service supports approximately 2 million .eth domains, including the personal website of Ethereum co-creator Vitalik Buterin at vitalik.eth.limo.

Had the hijack succeeded completely, the perpetrator could have redirected visitors across any .eth domain to malicious phishing infrastructure. Buterin issued warnings Friday advising his audience to circumvent all eth.limo URLs temporarily and access content through IPFS instead.

DNSSEC Protection Mechanism Thwarted Complete Compromise

The malicious actor failed to obtain eth.limo’s DNSSEC cryptographic signing keys. This absence meant the attacker could not generate authentically signed DNS responses.

DNS resolver systems validating the modified nameserver data detected discrepancies with legitimate cryptographic records. Rather than routing visitors to attacker-controlled destinations, resolvers generated failure notifications.

Jeftovic emphasized that no additional EasyDNS customers experienced compromise during this incident.

Future Security Measures

The eth.limo domain will migrate to Domainsure, an EasyDNS-affiliated platform designed specifically for enterprise and high-security clients. Domainsure’s architecture deliberately excludes account recovery functionality, eliminating the vulnerability vector exploited in this attack.

Jeftovic indicated that EasyDNS continues investigating the precise methodology the attacker employed during the breach.

This incident represents another data point in an escalating trend. November 2025 witnessed DNS hijacks targeting decentralized exchanges Aerodrome and Velodrome, resulting in over $700,000 stolen from users after attackers compromised registrar NameSilo and stripped DNSSEC protections from those domains.

Stablecoin infrastructure provider Steakhouse Financial revealed a comparable breach on March 30, following successful manipulation of OVH support personnel who removed two-factor authentication safeguards from the account.

The eth.limo gateway has resumed normal operations under authorized team management.

The post How Social Engineering Attack on eth.limo Exposed Crypto’s Domain Security Flaw appeared first on Blockonomi.