A comprehensive post-mortem of the DNS security breach affecting the Ethereum Name Service gateway eth.limo, has revealed that the attack was driven by sophisticated social engineering rather than a technical exploit.
According to the report, EasyDNS handled the compromised account during the incident, which occurred on April 17. Hackers used social engineering tactics to alter domain settings and briefly redirect traffic across multiple name servers, triggering alerts and a coordinated response from the team.
The eth.limo team said the attacker gained access at 19:07 EDT by posing as a staff member during an account recovery process. The intruder then altered DNS records and switched nameservers to external providers.
The team detected the breach through automated downtime alerts and quickly contacted EasyDNS. It also notified the Ethereum community, including Vitalik Buterin, as it worked to contain potential exposure.
Attack timeline exposes rapid DNS takeover
The attackers escalated control in a series of rapid changes. At 02:23 EDT on April 18, they switched nameservers to Cloudflare. They then moved them again to Namecheap at 03:57 EDT. EasyDNS regained account access at 07:49 EDT and reversed the malicious changes. eth.limo services gradually came back online after the rollback.
Engineers said DNSSEC helped limit the damage. Because the malicious records pushed by the attacker lacked the valid cryptographic signatures associated with the eth.limo zone, validating resolvers across the internet rejected the data. This security check effectively “broke” the attack chain for a significant portion of users, preventing them from being redirected to phishing sites. The team confirmed that there has been no verified impact on user funds during the window of compromise.
Industry-wide security concerns intensify
EasyDNS said the incident marked its first successful social engineering compromise in nearly 28 years. The company acknowledged a failure in its account recovery verification process and said it has begun internal changes. It also plans to move high-risk clients to stricter security systems that remove account recovery options.
This security breach occurs against a backdrop of a number of similar breaches on DeFi applications. Past DNS hijacking attacks occurred on protocols like CoW Swap and other DeFi platforms. Hackers conducted redirections on the frontend while attempting to carry out some attacks on wallets. The earlier hack that led to losses for Cream Finance has revealed other risks.
As blockchain back-ends become increasingly secure, the “Web2” infrastructure supporting them—DNS, registrars, and cloud hosting—is becoming a primary target for attackers looking to exploit the human factor.
Also Read: Aave Faces Mounting Bad Debt Crisis After $292M KelpDAO Exploit
