The brief takeover of eth.limo on April 17–18 did not begin with a smart-contract exploit or a failure in ENS itself. It began with a successful social-engineering attack against a registrar account-recovery process, allowing an attacker to seize control of the domain settings that connect .eth names to the web. eth.limo later said the compromise started around 19:07 EDT on April 17, when an attacker impersonated a team member and targeted its EasyDNS account.
Over the next several hours, the attacker changed eth.limo’s name servers, first to Cloudflare and later to Namecheap, before legitimate access was restored early on April 18. eth.limo’s post-mortem said recovery began after EasyDNS restored account access at 07:49 EDT, ending a window in which the gateway could have been used to reroute traffic for a vast number of ENS-linked web addresses. The incident turned a registrar workflow into a potential phishing and malware channel for the broader ENS ecosystem.
— ETH.LIMO 🦇🔊 (@eth_limo) April 18, 2026
DNSSEC Contained the Damage, Even as Trust Was Shaken
What limited the fallout was not the absence of opportunity, but the presence of a cryptographic check the attacker could not bypass. Multiple post-incident accounts said DNSSEC validation prevented forged DNS responses from resolving for validating resolvers because the attacker did not have the zone-signing keys. eth.limo reported no verified user impact or confirmed financial losses during the compromise window, making DNSSEC the difference between a dangerous breach and a much larger user-loss event.
The seriousness of the incident was underscored by the public response from key figures. Vitalik Buterin warned users on April 18 not to visit eth.limo links during the disruption and pointed them toward direct IPFS access instead, while ENS said it quickly notified the community and relevant parties once the hijack was understood. The emergency guidance reflected how quickly a DNS-layer failure can undermine confidence in otherwise decentralized infrastructure.
The Real Weakness Was Procedural, Not Cryptographic
EasyDNS chief executive Mark Jeftovic publicly accepted responsibility, describing the attack as highly sophisticated and saying the registrar would migrate eth.limo to Domainsure, an enterprise service without a manual account-recovery mechanism. That response matters because it shows the breach was rooted in human recovery procedures rather than in ENS records or IPFS content. The weak point was not the decentralized stack itself, but the centralized account-recovery layer wrapped around it.
The lesson is uncomfortable but clear. ENS records and content-addressed storage remained intact, yet access to them through mainstream browser pathways was still vulnerable to a registrar-side failure. For operators of high-value Web3 services, the eth.limo incident is a reminder that decentralized guarantees can still be temporarily neutralized by centralized operational processes if those processes are weak enough to social engineering.