Social engineering at EasyDNS led to eth.limo hijack
Attackers impersonated an eth.limo team member to obtain easyDNS account recovery, change nameservers and briefly hijack the .eth gateway; DNSSEC limited impact.
On Friday attackers impersonated an eth.limo team member, initiated an account recovery with easyDNS, gained access to the eth.limo domain account and changed the domain’s nameserver (NS) records to point to Cloudflare. Eth.limo published a postmortem on Saturday and alerted the community while contacting easyDNS to respond to the incident.
Eth.limo operates a Web2 gateway that provides access to about 2 million decentralized websites that use .eth names. A successful hijack of the gateway could have redirected users to malicious pages; eth.limo said it immediately informed users and notified Ethereum co‑founder Vitalik Buterin during the response.
The Domain Name System Security Extensions (DNSSEC) prevented a larger attack. The attacker did not have the domain’s signing keys and therefore could not produce valid cryptographic signatures for forged DNS responses. DNSSEC‑aware resolvers rejected the forged responses and dropped queries, which produced error messages instead of sending users to potentially malicious sites.
Mark Jeftovic, easyDNS chief executive, acknowledged the breach in the company’s postmortem and wrote, “We screwed up and we own it.” He added that DNSSEC was enabled for the domain when the attackers attempted to change the nameservers and that DNSSEC‑aware resolvers began dropping queries.
easyDNS described the social engineering as highly sophisticated and said it has launched a further investigation into how the attack succeeded. The company plans to migrate the eth.limo account to Domainsure, which it described as having an enterprise security posture and no account recovery process.
Eth.limo said the attacker’s lack of signing keys likely reduced the blast radius of the hijack and that it was not aware of any user impact at the time of its report. Eth.limo committed to provide updates if evidence of user impact appears.
The incident follows recent domain compromises affecting crypto projects, including CoW Swap and Steakhouse Financial. easyDNS noted the attack was the first successful social engineering breach of one of its clients in 28 years and said it routinely sees attempted attacks. Both companies reported they are strengthening procedures and monitoring for further issues.
The material on GNcrypto is intended solely for informational use and must not be regarded as financial advice. We make every effort to keep the content accurate and current, but we cannot warrant its precision, completeness, or reliability. GNcrypto does not take responsibility for any mistakes, omissions, or financial losses resulting from reliance on this information. Any actions you take based on this content are done at your own risk. Always conduct independent research and seek guidance from a qualified specialist. For further details, please review our Terms, Privacy Policy and Disclaimers.
Articles by this author
