Ethereum Name Service gateway eth.limo was briefly hijacked at its domain registrar on Friday evening via a social engineering attack, the project said in a post-mortem published Saturday.

At 7:07 p.m. EDT on April 17, an attacker impersonated an eth.limo team member to trick registrar EasyDNS into running an account recovery process, according to the post-mortem and a separate blog post from EasyDNS CEO Mark Jeftovic.

The attacker flipped eth.limo's nameservers to Cloudflare at 2:23 a.m. EDT on April 18, triggering automated downtime alerts that woke the eth.limo team. The nameservers were then switched again to Namecheap at 3:57 a.m. EDT before EasyDNS restored the team's account access at 7:49 a.m. EDT, per the timeline.

eth.limo is a free, open-source reverse proxy that lets users reach ENS-linked content hosted on IPFS, Arweave, or Swarm through a standard browser by appending ".limo" to any .eth name. Its wildcard DNS record at *.eth.limo covers roughly 2 million .eth domains registered through ENS, per figures cited by EasyDNS.

A successful hijack of that wildcard would have let the attacker redirect traffic for any .eth page accessed through the gateway, including Ethereum co-founder Vitalik Buterin's personal blog at vitalik.eth.limo, toward phishing infrastructure.

"On behalf of everyone here, I apologize to the eth.limo team and the wider Ethereum community," Jeftovic wrote. "ENS has always had a special place in our heart as the first registrar to enable ENS linking to web2 domains and we’ve been involved in the space since 2017."

DNSSEC as backstop

What prevented that outcome, both teams said, was DNSSEC. The standard cryptographically signs DNS records so that validating resolvers can reject unsigned or incorrectly signed responses.

Because the attacker never obtained eth.limo's signing keys, the chain of trust broke when resolvers checked the attacker's new nameserver responses against the legitimate DS record still cached from the parent zone. Resolvers returned SERVFAIL errors rather than the malicious answers, per eth.limo.

"DNSSEC likely reduced the blast radius of the hijack. We are not aware of any user impact at this time," the eth.limo team wrote.

Buterin, who had warned users on Friday to avoid all eth.limo URLs and pointed them to IPFS directly, confirmed Saturday that the situation was "all resolved now."

EasyDNS' mea culpa

In his blog post, titled "We screwed up and we own it," Jeftovic said the incident marked the first successful social engineering attack against an EasyDNS customer in the firm's 28-year history, and that no other customers were affected.

Jeftovic said eth.limo will be migrated to Domainsure, an EasyDNS-affiliated service aimed at enterprise and fintech clients that does not offer any account recovery mechanism. He declined to detail exactly how the attacker fooled the support process, citing an ongoing internal post-mortem.

Domain hijackings on the rise

The incident is the latest in a steady run of registrar-level compromises targeting crypto front-ends whose underlying smart contracts are decentralized but whose user-facing domains are not.

In November, DNS hijacks of decentralized exchanges Aerodrome and Velodrome drained more than $700,000 from users after attackers compromised an account at registrar NameSilo and stripped DNSSEC from the affected domains.

Stablecoin-focused protocol Steakhouse Financial disclosed a similar incident on March 30 after OVH support staff were socially engineered into removing two-factor authentication from its account, briefly allowing a wallet drainer to be served from a cloned site. Yield platform Neutrl suffered a similar incident in March as well.

In an ironic turn, eth.limo had provided "whiteglove" support to the Aerodrome team during the November hijack, according to an ENS DAO Q4 2025 update, with its gateway often held up as the decentralized fallback of choice when a DeFi front-end goes dark.

Buterin has long argued that Ethereum's dependence on centralized DNS resolution is a form of trust backsliding, and in January declared 2026 the year developers should reverse it by pushing users toward direct IPFS access paths. That is the same workaround he pointed to during Friday's incident, telling followers they could "check my blog via IPFS directly" while the gateway was down.

eth.limo's service is back online under its original team's control, according to the project.