Eth.limo Recovers Domain After easyDNS Hijack as Vercel Confirms Data Breach

Eth.limo Domain Hijacked Through Social Engineering

Ethereum Name Service (ENS) gateway eth.limo has published a detailed incident report following a domain hijacking attack. The breach targeted the project's domain registrar easyDNS rather than eth.limo's own infrastructure.

«https://t.co/of1ktfaPss» — ETH.LIMO 🦇🔊 (@eth_limo), original post

The attacker impersonated an eth.limo team member and initiated an account recovery procedure with easyDNS. Upon gaining access to the control panel, the hacker modified the nameserver (NS) records and redirected them to Cloudflare. This meant users accessing eth.limo could have been directed to phishing pages.

Why This Matters

Eth.limo serves as a bridge between Web2 and Web3, providing access to 2 million decentralized websites in the .eth domain zone. Compromising such a gateway could potentially put a massive number of decentralized web users at risk.

Ethereum co-founder Vitalik Buterin personally warned his audience about the issue, urging them to avoid visiting his blog and other .eth pages until the situation was resolved.

«The kind people at @eth_limo have warned me that there has been an attack on their DNS registrar. So please do not visit vitalik.eth.limo or other .eth.limo pages until they confirm that things are back to normal. You can check my blog via IPFS directly…» — vitalik.eth (@VitalikButerin), original post

DNSSEC Prevented Widespread Damage

easyDNS CEO Mark Jeftovic acknowledged the company's responsibility for the incident. He described the attack as "highly sophisticated" and stated that nothing like it had occurred in the registrar's 28-year history.

Major consequences were averted thanks to DNSSEC (Domain Name System Security Extensions). The attacker lacked the cryptographic signing keys required to validate DNS responses, so most DNS servers rejected the spoofed records. Instead of landing on malicious pages, users encountered error messages.

The eth.limo team confirmed that no user harm was detected. The project is migrating to Domainsure, a platform that does not support account recovery through customer support — effectively eliminating the social engineering vector used in this attack.

Vercel Confirms Client Data Breach

In a separate but concurrent security event, cloud provider Vercel disclosed that hackers gained access to a portion of its customers' credentials.

«We've identified a security incident that involved unauthorized access to certain internal Vercel systems, impacting a limited subset of customers.» — Vercel (@vercel), original post

Vercel CEO Guillermo Rauch revealed that the attack originated from the compromise of Context.ai, an AI tool used by a Vercel employee. Through this entry point, attackers penetrated the company's Google Workspace account and subsequently its internal systems.

«A Vercel employee got compromised via the breach of an AI platform customer called Context.ai that he was using…» — Guillermo Rauch (@rauchg), original post

Before Vercel's official statement, a listing appeared on the hacking forum BreachForums offering the stolen data for $2 million. The seller claimed to have source code and access keys.

«VERCEL just got breached. They're selling internal DB + employee accounts + GitHub/NPM tokens for $2M on BreachForums.» — shirish (@shiri_shh), original post

Vercel's leadership urged customers to immediately rotate credentials and monitor activity within their environments. Rauch emphasized that the infrastructure of open-source projects, including the Next.js framework, was not affected.

A Wave of Crypto Security Incidents

Both events unfolded against a backdrop of major attacks across the crypto industry. On April 1, DeFi platform Drift Protocol on Solana lost at least $280 million in a hack. On April 17, liquid restaking protocol Kelp was drained of $293 million following a cross-chain bridge exploit. The combined damage from these incidents underscores the scale of security challenges facing the Web3 space.