Registrar hijack of eth.limo stopped by DNSSEC
A social-engineering attack on April 17 allowed an attacker to access eth.limo’s registrar and change nameservers; DNSSEC validation stopped malicious responses from reaching users.
On April 17 an attacker used social engineering to gain control of the registrar account for eth.limo and changed the gateway’s nameservers, but DNSSEC validation prevented the attacker from serving malicious responses to users.
According to timelines published by eth.limo and the registrar, the incident began at 7:07 p.m. EDT on April 17 when the attacker impersonated an eth.limo team member and persuaded EasyDNS support to start an account recovery process. The attacker pointed the domain to Cloudflare nameservers at 2:23 a.m. EDT on April 18, then switched the nameservers again to Namecheap at 3:57 a.m. Automated monitoring alerted the eth.limo team, and EasyDNS restored account access at 7:49 a.m. EDT the same morning.
Eth.limo is a free, open-source reverse proxy that serves content linked to Ethereum Name Service (ENS) names by appending “.limo” to a .eth name. The gateway’s wildcard DNS record at *.eth.limo covers roughly two million .eth domains. A successful registrar takeover could have redirected traffic for any .eth site served through the gateway, including high-profile pages such as Vitalik Buterin’s blog at vitalik.eth.limo.
DNSSEC, the domain name system security extension that cryptographically signs DNS records, prevented the attacker from delivering fraudulent addresses. The attacker did not obtain eth.limo’s DNSSEC signing keys, so when validating resolvers checked responses from the attacker's nameservers against the legitimate DS record still cached at the parent zone, the chain of trust failed. Resolvers returned SERVFAIL errors rather than accepting the false records, and eth.limo reports no known user impact.
EasyDNS CEO Mark Jeftovic acknowledged the breach in a blog post titled “We screwed up and we own it.” Jeftovic offered an apology to eth.limo and the broader Ethereum community, and wrote that eth.limo will be migrated to Domainsure, an EasyDNS-affiliated service for enterprise clients that does not include an account recovery mechanism. He declined to disclose specifics of how the support process was tricked while an internal review continues.
Ethereum co-founder Vitalik Buterin advised users to avoid eth.limo URLs and to access content via IPFS while the incident was investigated, and later confirmed the situation was “all resolved now.” EasyDNS reported no other customers were affected.
Registrar-level account takeovers have been used in other attacks on crypto front ends, including incidents that removed DNSSEC or two-factor protections and allowed cloned sites to serve wallet-draining pages. Eth.limo and registrar operators are reviewing account recovery procedures and protections to reduce the risk of similar social-engineering attacks in the future.
The content on The Coinomist is for informational purposes only and should not be interpreted as financial advice. While we strive to provide accurate and up-to-date information, we do not guarantee the accuracy, completeness, or reliability of any content. Neither we accept liability for any errors or omissions in the information provided or for any financial losses incurred as a result of relying on this information. Actions based on this content are at your own risk. Always do your own research and consult a professional. See our Terms, Privacy Policy, and Disclaimers for more details.








