Key Takeaways
- An attacker successfully impersonated eth.limo staff to manipulate EasyDNS into granting unauthorized account control
- DNS nameservers were altered twice during a five-hour window from 2am to 7am on April 18
- DNSSEC security protocols prevented the hijacking from affecting end users by rejecting unauthorized DNS changes
- EasyDNS leadership issued a public apology, confirming this as their first social engineering compromise in nearly three decades
- The gateway service is transitioning to Domainsure, which eliminates account recovery vulnerabilities
A sophisticated social engineering operation compromised the domain infrastructure of eth.limo, an Ethereum Name Service gateway, late Friday evening when an attacker successfully deceived domain registrar EasyDNS.
The malicious actor initiated a fraudulent account recovery request at 7:07 p.m. EDT on April 17, posing as legitimate eth.limo personnel. Within seven hours, by 2:23 a.m. EDT the following morning, the hijacker had successfully redirected eth.limo’s nameservers to Cloudflare infrastructure. Another modification occurred at 3:57 a.m. EDT, shifting control to Namecheap servers.
EasyDNS security teams reinstated proper account credentials to the authentic operators at 7:49 a.m. EDT, concluding approximately five hours of unauthorized domain control.
The eth.limo platform serves as a critical bridge connecting conventional web browsers to Ethereum Name Service infrastructure. The service facilitates access to approximately 2 million .eth domains, including high-profile sites like Ethereum co-founder Vitalik Buterin’s personal blog hosted at vitalik.eth.limo.
Had the breach been fully effective, the perpetrator could have rerouted traffic from any .eth address to malicious phishing infrastructure. Buterin immediately cautioned his community on Friday to temporarily avoid all eth.limo connections and recommended direct IPFS access instead.
DNSSEC Protocol Prevented User Impact
The critical security layer that thwarted this attack was the attacker’s inability to obtain eth.limo’s DNSSEC cryptographic signing keys. These digital signatures are essential for validating DNS record authenticity.
When DNS resolvers attempted to verify the compromised nameserver information, they detected inconsistencies with legitimate cryptographic signatures. Rather than routing users to potentially malicious destinations, the resolvers generated error responses.
“DNSSEC likely reduced the blast radius of the hijack. We are not aware of any user impact at this time,” the eth.limo team stated in their incident analysis.
Buterin provided confirmation on Saturday that circumstances were “all resolved now.”
Mark Jeftovic, CEO of EasyDNS, released a transparent incident report entitled “We screwed up and we own it.” He acknowledged this represented the registrar’s first successful social engineering penetration across its 28-year operational history.
“This would mark the first successful social engineering attack against an easyDNS client in our 28-year history. There have been countless attempts,” Jeftovic acknowledged.
Jeftovic emphasized that no additional EasyDNS clients experienced security compromises during this incident.
Future Security Measures
The eth.limo domain will be transferred to Domainsure, an EasyDNS-affiliated platform specifically designed for enterprise and high-security requirements. Domainsure’s architecture completely eliminates account recovery procedures, effectively removing the vulnerability exploited in this attack.
Jeftovic confirmed that EasyDNS continues investigating the precise methodology employed by the attacker.
This security incident reflects an escalating trend across the cryptocurrency sector. Last November, DNS hijacking attacks targeting decentralized exchanges Aerodrome and Velodrome resulted in over $700,000 in user losses after attackers compromised registrar NameSilo and disabled DNSSEC protections.
Similarly, Steakhouse Financial, a stablecoin protocol, reported a comparable security breach on March 30, following social engineering manipulation of OVH support personnel who removed two-factor authentication safeguards.
The eth.limo gateway has returned to full operational status under legitimate administrative control.
