EasyDns admits to security failure following eth.limo domain hijack

EasyDNS has confirmed that a security failure within its own systems allowed a social engineering attacker to briefly seize control of eth.limo, a primary gateway for the Ethereum Name Service.

Summary

• An attacker impersonated an eth.limo team member to bypass account recovery protocols at easyDNS and gain control of domain settings.
• DNSSEC safeguards prevented the redirection of users to malicious sites by rejecting forged responses that lacked valid cryptographic signatures.
• EasyDNS is migrating the service to Domainsure to eliminate account recovery vulnerabilities and prevent future social engineering breaches.

The incident occurred on Friday when an attacker successfully impersonated an eth.limo team member to initiate an account recovery process, gaining the authority to modify name server records and redirect the domain to Cloudflare.

The eth.limo team, in a post-mortem published Saturday, stated that they immediately notified the community and prominent figures like Ethereum co-founder Vitalik Buterin once the DNS hijack was identified

Serving as a bridge for roughly 2 million decentralized websites, eth.limo is a high-stakes target because a successful compromise could allow hackers to divert users to malicious pages. Buterin himself issued an urgent warning on Friday, advising his readers to avoid his blog until the team could restore secure operations.

Security extensions prevent widespread impact

EasyDNS CEO Mark Jeftovic noted that the presence of Domain Name System Security Extension (DNSSEC) played a critical role in stopping the attacker from causing further damage

Because the hacker lacked the necessary cryptographic signing keys, modern DNS-aware resolvers rejected the forged responses, resulting in users seeing error messages rather than being funneled to phishing sites.

“We screwed up and we own it,” Jeftovic stated on Saturday, acknowledging that this was the first successful social engineering breach in the provider’s 28-year history.

The eth.limo developers highlighted in their own report that these safeguards likely reduced the “blast radius” of the hijack. While the service was disrupted, the team is currently unaware of any confirmed user impact or fund losses

Jeftovic added that eth.limo is now being migrated to Domainsure, an enterprise-grade platform that does not offer a manual account recovery mechanism, effectively closing the loophole exploited in this attack.

The latest incident is one of the many recent infrastructure attacks hitting the crypto sector. Only days earlier, on April 14, the decentralized exchange aggregator CoW Swap lost control of its domain for several hours following a similar social engineering attack against the .fi registry, leading to an estimated loss of $1.2 million from affected users.