eth.limo DNS hijack post-mortem
At approximately 19:07 EDT on 2026-04-17 our EasyDNS account was compromised via a social engineering attack directed at EasyDNS in which the attacker impersonated one of our team members.
02:23 EDT 2026-04-18: The NS records were changed and directed to Cloudflare. At this point we were awoken by automated downtime notifications and began to assess the situation. Once we understood that a DNS hijack had taken place, we immediately notified the community as well as Vitalik Buterin and others. We then began contacting EasyDNS in an attempt to respond to the incident.
03:57 EDT 2026-04-18: The NS records were switched from Cloudflare to Namecheap.
07:49 EDT 2026-04-18: EasyDNS restored access to our account, reverted the malicious NS record changes and began triage. At this point the eth.limo service began to come back online and we worked closely with EasyDNS to understand the details of the attack.
The silver lining here is DNSSEC (ironically). Once the NS records were maliciously changed, validating resolvers checked the attacker’s responses against the legitimate DS record still cached from the parent zone. Because the attacker did not hold our signing keys, they could not produce valid RRSIGs, the chain of trust broke, and resolvers returned SERVFAIL instead of the malicious answers. In short, DNSSEC likely reduced the blast radius of the hijack. We are not aware of any user impact at this time. We will provide updates if that changes.
The eth.limo service is up and running and under our control. We’d like to thank our community for being patient with us through all of this, and Mark Jeftovic for his help recovering the domain.
EasyDNS has also provided their own post-mortem here:
Post-mortem update - 2026-04-20
After collaborating with @Coinspect and consulting the Certificate Transparency Logs, we believe the attacker was unable to obtain any valid X.509 certificates for either eth.limo or tornadocash[.] eth.limo during the hijack window. This significantly reduced the likelihood of user impact, as any connection to attacker infrastructure would have triggered browser TLS warnings and HSTS enforcement.
Since September 2017, the CA/Browser Forum Baseline Requirements have required publicly-trusted Certificate Authorities to query CAA records for a domain before issuing a certificate. As of March 15, 2026, CA/B Forum ballot SC-085v2 additionally requires CAs to perform DNSSEC validation on those CAA and domain control validation lookups. CAA lookups during the incident would have returned SERVFAIL — preventing any compliant CA from issuing a certificate for the domains.
Certificate Transparency Log resources:
https://radar.cloudflare.com/domains/domain/eth.limo