TL;DR
- An attacker impersonated an eth.limo team member and convinced EasyDNS to start an account recovery flow, leading to a brief hijack of the gateway.
- Nameservers were switched to Cloudflare and then Namecheap before the legitimate team regained access, and EasyDNS accepted responsibility for the breach.
- Because *.eth.limo covers roughly 2 million ENS domains, the compromise briefly created potential phishing risk across a much wider slice of ENS browser access overall.
eth.limo was briefly hijacked after an attacker manipulated EasyDNS into opening an account recovery flow, exposing how much decentralized access can still depend on a single old-world support process. The incident did not begin with a smart contract failure or wallet compromise, but with a registrar being socially engineered into trusting the wrong person. The gateway was targeted late Friday after the attacker impersonated a member of the eth.limo team, turning an administrative safeguard into the opening move of a broader domain takeover. The episode lasted only hours, but it cut into a critical layer of ENS access.
At 7:07 p.m. EDT on April 17, the attacker contacted EasyDNS while posing as an eth.limo team member. Hours later, at 2:23 a.m. EDT on April 18, the domainās nameservers were changed to Cloudflare, setting off automated downtime alerts that woke the real team. The nameservers were changed again at 3:57 a.m., this time to Namecheap, before account access was restored to the legitimate operators at 7:49 a.m. EasyDNS later accepted responsibility and described the breach as its first successful social engineering incident in 28 years.
— ETH.LIMO š¦š (@eth_limo) April 18, 2026
The Blast Radius Was Far Larger Than One Domain
eth.limo is not just a redirect. It functions as a free, open-source reverse proxy that lets standard browsers reach ENS-linked content stored on IPFS, Arweave, or Swarm by appending ā.limoā to a .eth name. Its wildcard DNS record covers roughly 2 million ENS domains, which meant the compromise could have redirected a huge amount of ordinary browser traffic toward phishing infrastructure. That potential included high-profile destinations such as Vitalik Buterinās blog at vitalik.eth.limo, turning what looked like a registrar mistake into a much broader trust problem. In practical terms, one support failure briefly put a massive slice of ENS accessibility at risk.
The lesson is difficult to miss. Decentralization can still rest on centralized plumbing, and when one of those support layers breaks, the fallout can scale much faster than the underlying protocol itself. This hijack did not expose a flaw in ENS naming or in eth.limoās core idea. It exposed the fragility of recovery workflows, registrar trust, and the human checkpoints wrapped around crypto infrastructure. That is why the breach felt so unsettling: the code held, but the access rails around it briefly did not for users everywhere.
