A phone call hijacked Ethereum’s biggest ENS gateway: DNSSEC stopped it from getting worse

EasyDNS has admitted that a staff impersonation attack briefly handed an attacker control of eth.limo, the gateway used by roughly 2 million ENS-linked sites, after an internal account recovery process was exploited to alter DNS records.

According to EasyDNS, the eth.limo domain hijack unfolded on Friday when a threat actor impersonated a legitimate team member and triggered an account recovery process. This allowed the attacker to gain sufficient privileges to alter DNS records and redirect traffic through Cloudflare infrastructure, potentially exposing users to malicious endpoints.

How the eth.limo domain hijack unfolded

The eth.limo domain hijack targeted a service that acts as a bridge for the Ethereum Name Service (ENS), enabling users to access decentralized websites through standard browsers. With roughly 2 million sites relying on this gateway, the eth.limo domain hijack represented a significant systemic risk.

In a post-incident disclosure, the eth.limo team confirmed that the attacker exploited human factors rather than technical vulnerabilities. By successfully impersonating an internal contact, the attacker bypassed safeguards and initiated changes to name server records.

The team responded quickly once the eth.limo domain hijack was detected, issuing alerts across the community and notifying key figures, including Vitalik Buterin. Buterin subsequently warned users to avoid interacting with his ENS-linked blog until the issue was resolved.

“This was a clear case of social engineering targeting account recovery workflows,” the team stated, emphasizing that the eth.limo domain hijack did not stem from a flaw in ENS itself but rather in centralized DNS management.

DNSSEC limits the damage from eth.limo domain hijack

Despite the severity of the incident, the impact of the eth.limo domain hijack was partially contained due to the deployment of Domain Name System Security Extensions (DNSSEC). This cryptographic safeguard prevented attackers from fully exploiting the compromised domain.

Mark Jeftovic acknowledged the failure candidly: “We screwed up and we own it.” He explained that while the attacker could manipulate DNS records, they lacked the private keys required to sign malicious responses.

As a result, DNS-aware systems rejected fraudulent data during the eth.limo domain hijack, leading users to encounter errors instead of being redirected to phishing sites. This significantly reduced the potential fallout.

Security analysts say the eth.limo domain hijack demonstrates the importance of layered defenses. “DNSSEC acted as a backstop here,” noted a cybersecurity researcher familiar with the incident. “Without it, this could have escalated into a large-scale phishing campaign.”

The eth.limo team echoed this view, stating that these protections limited the “blast radius” of the eth.limo domain hijack. At the time of reporting, there were no confirmed cases of stolen funds or user compromise.

Industry implications of the eth.limo domain hijack

The eth.limo domain hijack arrives amid a growing wave of infrastructure-level attacks in the crypto sector, where adversaries increasingly target DNS providers and domain registries instead of blockchain protocols.

To prevent a recurrence, EasyDNS confirmed that eth.limo is being migrated to a more secure platform that eliminates manual account recovery—a key vulnerability exploited during the eth.limo domain hijack. The move is expected to harden defenses against similar social engineering tactics.

Experts argue that the eth.limo domain hijack underscores a broader contradiction in Web3: decentralized applications often depend on centralized infrastructure layers. “You can have a trustless blockchain, but if your DNS is compromised, users are still at risk,” said a blockchain security consultant.

The eth.limo domain hijack also follows closely on the heels of another incident involving CoW Swap. Just days earlier, attackers leveraged social engineering to seize control of its domain via a registry-level exploit, leading to approximately $1.2 million in user losses.

Taken together, these events highlight a troubling pattern. The eth.limo domain hijack is not an isolated case but part of a broader attack trend focusing on weak points in the supporting infrastructure of decentralized ecosystems.

A wake-up call for Web3 infrastructure

For many observers, the eth.limo domain hijack serves as a critical warning about the fragility of the systems underpinning decentralized access. While blockchain protocols remain secure, the interfaces users rely on are increasingly being targeted.

EasyDNS’s admission marks a rare moment of accountability in the industry. Still, the eth.limo domain hijack raises difficult questions about operational security, particularly around identity verification and recovery procedures.

As the crypto sector matures, incidents like the eth.limo domain hijack are likely to accelerate the push toward more resilient, trust-minimized infrastructure. Until then, users and developers alike must remain vigilant.

In the aftermath of the eth.limo domain hijack, one lesson stands out clearly: even in a decentralized world, the weakest link often lies in the systems that connect it to the traditional internet.