Share
The ENS gateway eth.limo, which routes traffic for roughly 2 million .eth domains, was briefly hijacked on April 17, 2026, after attackers manipulated registrar processes through social engineering.
The breach allowed unauthorized changes to domain settings, raising the risk of large-scale phishing. Yet the outcome diverged from typical DNS attacks. Domain Name System Security Extensions (DNSSEC), a protocol that verifies DNS responses, prevents the attacker from delivering malicious responses to users.
The kind people at @eth_limo have warned me that there has been an attack on their DNS registrar. So please do not visit https://t.co/2EcsFBZY0b or other https://t.co/9nFLru9kS0 pages until they confirm that things are back to normal.
You can check my blog via IPFS directly…
— vitalik.eth (@VitalikButerin) April 18, 2026
The incident traces back to a targeted impersonation attempt against EasyDNS. According to both the registrar and the eth.limo team, the attacker posed as a legitimate team member and triggered an account recovery process.
This granted access to the eth.limo domain account. From there, the attacker changed nameserver records twice within hours, first pointing traffic to Cloudflare and later to Namecheap. These changes effectively determine where all user traffic is routed, making them a primary target in DNS-level attacks.
The eth.limo team detected the issue through automated downtime alerts and began mitigation within hours. Access was restored the same morning.
— ETH.LIMO 🦇🔊 (@eth_limo) April 18, 2026
What could have become a high-impact exploit was contained by DNSSEC. The domain had DNSSEC enabled, which cryptographically verifies DNS responses.
DNSSEC verifies that DNS responses are genuine by checking them against trusted records, ensuring attackers cannot serve fake data even if they change domain settings.
Lots going around about the @eth_limo DNS attack and what this means about ENS+IPFS website security. Fortunately, it appears this attack wasn't as bad as it seemed at first:
1) No malicious records were actually served due to DNSSEC (cryptography works)
2) It was the fault of… pic.twitter.com/PvuigAuEv0
— brantly.eth (@BrantlyMillegan) April 18, 2026
When the attacker changed nameservers, they didn’t possess the required signing keys. As a result:
The eth.limo team stated they aren’t aware of any user impact. This is consistent with how DNSSEC is designed to respond when verification fails.
Not our proudest moment, but…
That @eth_limo nameserver hijack was on us… https://t.co/8JSePCRRyW— easyDNS (@easyDNS) April 18, 2026
The scale of the incident is significant. eth.limo acts as a bridge between decentralized naming via Ethereum Name Service and standard browsers. Its wildcard domain supports access to millions of endpoints, including high-profile pages such as Vitalik Buterin’s blog via vitalik.eth.limo.
A successful hijack at this layer could redirect large volumes of traffic without touching the underlying blockchain. Similar risks have already materialized in recent months. In November 2025, DNS hijacks targeting Aerodrome and Velodrome front-ends led to more than $700,000 in user losses after attackers compromised registrar accounts and removed DNSSEC protections.
Not our proudest moment, but…
That @eth_limo nameserver hijack was on us… https://t.co/8JSePCRRyW— easyDNS (@easyDNS) April 18, 2026
On March 30, 2026, DeFi advisory firm Steakhouse Financial disclosed a similar incident, where attackers socially engineered hosting support to remove security controls and briefly serve a wallet drainer through a cloned site.
EasyDNS CEO Mark Jeftovic publicly accepted responsibility, calling it the first successful social engineering breach in the company’s 28-year history. The firm is now moving eth.limo to a stricter service model that removes account recovery pathways.
The incident also reinforces a key limitation. DNSSEC protected users in this case, but it doesn’t eliminate reliance on centralized infrastructure. Access points like domain registrars remain a critical attack surface.
That trade-off remains unresolved across the ecosystem.
Share
preferred on
