---

Canadian domain registrar EasyDNS has publicly accepted responsibility for an April 18 attack that handed control of eth.limo, a widely used Ethereum Name Service (ENS) gateway, to unknown threat actors. The attackers used social engineering to manipulate EasyDNS support staff into executing a fraudulent account recovery, transferring domain control without compromising any technical systems. It was the registrar's first successful social engineering breach in nearly three decades of operation.

EasyDNS founder and CEO Mark E. Jeftovic did not soften the company's response. In a blog post titled "We screwed up and we own it: The eth.limo sh*tshow is on us," Jeftovic wrote that the incident was "a huge black eye for us, and we know it," and acknowledged it as "the first successful social engineering attack against an easyDNS client in our 28-year history." No other client accounts, internal systems, or data were affected. The failure was confined entirely to human verification processes on a single account.

What eth.limo Does and Why It Matters

eth.limo is free, open-source infrastructure that translates .eth blockchain domain names into standard HTTPS web addresses. Without it, accessing decentralized websites built on ENS would require running an IPFS node. The service handles roughly 1 to 1.5 million requests per day and processed over 287 million requests in Q4 2025 alone, accounting for 85 to 89 percent of all traffic across its three domains. ENS itself has approximately 2.8 million registered .eth names in total, of which around 2 million are accessible through eth.limo; approximately 910,000 active domains are growing at 8 percent month over month, according to CoinMarketCap data. Disrupting eth.limo means disrupting access to a significant portion of the decentralized web.

The incident carries a particular irony. In 2023, eth.limo's then-registrar Njalla redirected the domain to a parking page without notice, prompting the team to seek a more transparent and security-conscious provider. They moved to EasyDNS specifically because of the registrar's reputation for transparency and its crypto-aligned ethos. That trust made this breach all the more damaging.

Ethereum co-founder Vitalik Buterin issued a public warning at approximately 11:03 UTC on April 18, urging users to avoid all eth.limo URLs until the service confirmed it was safe. The eth.limo team confirmed the hijack within minutes. As of publication, no user fund losses from this incident have been confirmed.

DNSSEC Contained the Attack

One factor that limited the damage was eth.limo's use of DNSSEC, a security extension to the Domain Name System. When attackers attempted to redirect the domain's nameservers, resolvers that support DNSSEC rejected the changes because the new records lacked proper cryptographic signatures. This blocked malicious redirects for a substantial portion of users. That protection was absent in several high-profile prior incidents, where the lack of DNSSEC allowed attackers to redirect users to fraudulent sites and drain significant funds before the hijacks were detected. Domainsure, a registrar purpose-built for Web3 projects and the destination for eth.limo's post-incident domain migration (discussed in the final section), has noted that DNSSEC implementation across the broader registrar industry is "still largely unsupported or poorly implemented," meaning the protection that helped here is far from standard.

A Familiar Pattern in Web3

The eth.limo incident follows a well-documented pattern of DNS-layer attacks targeting crypto front-ends. In November 2025, a DNS hijack hit Aerodrome and Velodrome Finance, draining more than 1 million dollars in under an hour while the underlying smart contracts remained untouched. Curve Finance suffered a similar attack in 2025, executed through the registrar iwantmyname, that cost users approximately 520,000 dollars. A prior Curve Finance DNS attack in 2022 cost users approximately 570,000 dollars, underscoring how long this attack vector has been exploited. In September 2023, Balancer lost around 238,000 dollars after attackers used social engineering against its registrar EuroDNS; those attackers deployed Angel Drainer phishing contracts and bridged stolen ETH to Bitcoin via THORChain to obscure the trail. In each case, on-chain infrastructure was secure; the breach occurred at the web interface layer where users actually interact with these protocols. The FBI reported that Americans lost 11.4 billion dollars to crypto scams broadly in 2025, while Chainalysis recorded 132 phishing incidents in the first half of that year alone, accounting for 410.7 million dollars in losses. Those figures are not limited to DNS-layer attacks specifically, but they illustrate the scale of the threat environment in which incidents like the eth.limo hijack occur.

Regional Exposure Is Significant

Users outside the United States and Europe face disproportionate risk from this type of attack. In countries such as Nigeria, India, Pakistan, and Kenya, where regulatory uncertainty or exchange restrictions push users toward decentralized protocols, browser-based gateways like eth.limo are often the primary access point. These users are less likely to reach for technical alternatives, such as native IPFS tools, if a gateway is compromised. Chainalysis consistently ranks Nigeria, India, and Pakistan among the top countries for crypto adoption, yet security awareness in these markets has not kept pace with growth. ENS-based sites are also used by journalists, activists, and privacy-focused users in censorship-sensitive environments across South and Southeast Asia. Indonesian crypto outlet Tokocrypto News published a Bahasa-language warning about the hijack on April 18, signaling that the incident reached Southeast Asian communities.

What Comes Next

eth.limo is migrating its domain registration to Domainsure, a registrar that has no account recovery mechanism by design, removing the attack vector that made this breach possible. Readers should note that Domainsure is both eth.limo's chosen migration destination and the source of several industry observations cited in this article; its commentary on registrar security practices reflects a direct commercial interest in Web3 domain migration. The migration sets a concrete precedent for Web3 projects that have not treated registrar-level security as a priority. As Domainsure has stated: "Your crypto project is only as strong as its weakest link, and for most Web3 platforms, that's the domain and DNS layer." For the ENS ecosystem and the broader decentralized web, this incident makes clear that on-chain security alone is not enough.