ETHlimo Post-Mortem Explains ENS-to-Web DNS Hijack

ETH.LIMO says a Friday night DNS hijack temporarily hit one of Ethereum's better-known ENS-to-web gateways, and its Saturday post-mortem traced the incident to a social engineering attack aimed at registrar easyDNS. Because eth.limo helps ordinary browsers reach ENS-linked content, the disruption turned a registrar problem into a broader Ethereum access and trust issue.

What ETH.LIMO Said in Its Post-Mortem

In a post-mortem shared on Saturday, April 18, 2026, ETH.LIMO said its easyDNS account was compromised at about 19:07 EDT on Friday, April 17, 2026. That sequence turned a Friday night registrar incident into a Saturday explanation of how an ENS web gateway lost DNS control.

Before publishing the fuller write-up, ETH.LIMO warned on X that "our domaim appears to have been compromised and the https://eth.limo domain has been hijacked," framing the incident as an active remediation effort rather than a completed recovery.

our domaim appears to have been compromised and the https://t.co/RasuM5FKok domain has been hijacked. We're actively working with all parties involved to assess the situation and remediate the problem.

— ETH.LIMO 🦇🔊 (@eth_limo) April 18, 2026

easyDNS described eth.limo as the ENS gateway that gives ordinary browsers access to roughly 2 million .eth names. That 2 million-name scope is why a single registrar-layer failure mattered well beyond one front end.

How the DNS Hijack Was Traced

Tracing a DNS hijack means identifying which control point changed a domain's routing and when. In ETH.LIMO's account, the failure path ran through its registrar relationship with easyDNS, not through ENS records on Ethereum itself.

Cause Analysis

According to ETH.LIMO's post-mortem, the easyDNS account compromise came through a social engineering attack directed at easyDNS. easyDNS separately wrote that the attack was its first successful social engineering incident against a client in 28 years.

ETH.LIMO's attribution to social engineering and easyDNS's 28-year admission together point to an account-recovery and human-verification failure at the registrar layer, not a compromise of ENS resolution on Ethereum. It is a familiar architecture lesson in crypto infrastructure: the decentralized naming layer can still inherit risk from the conventional services wrapped around it.

Response and Mitigation

easyDNS said DNSSEC was enabled and that DNSSEC-aware resolvers dropped attacker queries when the attacker tried to flip nameservers. In plain language, validating resolvers rejected the tampered state instead of trusting the changed delegation.

The registrar also said no other customers were impacted and no easyDNS systems or data were compromised. easyDNS's own statement narrows the incident to ETH.LIMO's domain control plane, even if the user-facing effect was broad.

Why the ETH.LIMO Incident Matters for Ethereum Users

The immediate risk to Ethereum users was access: when a gateway that fronts roughly 2 million .eth names loses DNS control, people who rely on standard browsers can no longer assume a .eth page resolves safely. The episode fits a broader Ethereum pattern in which an operational failure outside the base protocol can still spill risk into user flows, much like KelpDAO's exploit leaving Aave exposed to rsETH bad debt.

Vitalik Buterin underscored the user risk by warning on April 18, 2026 that people should avoid eth.limo and other .limo pages until ETH.LIMO confirmed normal service had returned, a point later highlighted by BeInCrypto's independent coverage.

The kind people at @eth_limo have warned me that there has been an attack on their DNS registrar. So please do not visit https://t.co/2EcsFBZY0b or other https://t.co/9nFLru9kS0 pages until they confirm that things are back to normal.

You can check my blog via IPFS directly…

— vitalik.eth (@VitalikButerin) April 18, 2026

Ethereum traded at about $2,281.65, down 2.73% over 24 hours, giving market context around the ENS gateway security incident.

That market data does not prove the hijack moved Ether, but it does show the event landed during a broader risk-off tape rather than a security-specific repricing. The more durable takeaway is operational: protecting browser-facing Ethereum infrastructure now matters as much as reviewing contracts, which is why ecosystem efforts such as the Ethereum Foundation's grant review around Ketman Security remain relevant beyond core protocol code.

What Readers Should Watch Next

Readers should watch for a formal return-to-normal notice from ETH.LIMO, any easyDNS explanation of account-hardening changes, and whether more ENS projects push users toward direct-resolution or IPFS fallbacks after the incident. Nothing in the disclosed timeline indicates ENS itself was compromised; the weak point described by ETH.LIMO and easyDNS sat in the browser-facing DNS layer around it.

Disclaimer: This article is for informational purposes only and does not constitute financial advice. Cryptocurrency investments carry significant risk. Always conduct your own research before making investment decisions.

Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Cryptocurrency and digital asset markets carry significant risk. Always do your own research before making decisions.