{"id":96313,"date":"2026-04-20T11:44:45","date_gmt":"2026-04-20T08:44:45","guid":{"rendered":"https:\/\/forklog.com\/en\/?p=96313"},"modified":"2026-04-20T11:45:22","modified_gmt":"2026-04-20T08:45:22","slug":"eth-limo-regains-domain-control-after-easydns-breach","status":"publish","type":"post","link":"https:\/\/forklog.com\/en\/eth-limo-regains-domain-control-after-easydns-breach\/","title":{"rendered":"Eth.limo Regains Domain Control After easyDNS Breach"},"content":{"rendered":"<p>The Ethereum Name Service (ENS) gateway, eth.limo, has released a report on a recent security incident. The domain was compromised due to an attack on the registrar easyDNS.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"zxx\" dir=\"ltr\"><a href=\"https:\/\/t.co\/of1ktfaPss\">https:\/\/t.co\/of1ktfaPss<\/a><\/p>\n<p>\u2014 ETH.LIMO \ud83e\udd87\ud83d\udd0a (@eth_limo) <a href=\"https:\/\/twitter.com\/eth_limo\/status\/2045552916157563148?ref_src=twsrc%5Etfw\">April 18, 2026<\/a><\/p><\/blockquote>\n<p> <script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>The attacker impersonated a member of the eth.limo team, initiated an account recovery process at easyDNS, and gained access to the settings. They then altered the name server (NS) records and redirected them to Cloudflare.<\/p>\n<p>Eth.limo serves as a bridge between Web2 and <a href=\"https:\/\/forklog.com\/en\/news\/what-is-web3\">Web3<\/a>, providing access to 2 million decentralized sites in the .eth domain. Due to the domain spoofing, users could have been redirected to phishing pages. Ethereum co-founder Vitalik Buterin advised against visiting his blog until the issue was resolved.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">The kind people at <a href=\"https:\/\/twitter.com\/eth_limo?ref_src=twsrc%5Etfw\">@eth_limo<\/a> have warned me that there has been an attack on their DNS registrar. So please do not visit <a href=\"https:\/\/t.co\/2EcsFBZY0b\">https:\/\/t.co\/2EcsFBZY0b<\/a> or other <a href=\"https:\/\/t.co\/9nFLru9kS0\">https:\/\/t.co\/9nFLru9kS0<\/a> pages until they confirm that things are back to normal.<\/p>\n<p>You can check my blog via IPFS directly\u2026<\/p>\n<p>\u2014 vitalik.eth (@VitalikButerin) <a href=\"https:\/\/twitter.com\/VitalikButerin\/status\/2045413438659416215?ref_src=twsrc%5Etfw\">April 18, 2026<\/a><\/p><\/blockquote>\n<p> <script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>Mark Jeftovic, CEO of easyDNS, <a href=\"https:\/\/easydns.com\/blog\/2026\/04\/18\/we-screwed-up-and-we-own-it-the-eth-limo-shtshow-is-on-us\/\">acknowledged<\/a> the company&#8217;s fault. He described the attack as &#8220;sophisticated&#8221; and noted that nothing similar had occurred in the provider&#8217;s 28-year history.<\/p>\n<p>Major consequences were avoided thanks to the expansion of DNSSEC. The hacker did not possess the cryptographic signing keys. Most servers rejected the hacker&#8217;s false responses, resulting in users seeing an error message instead of a malicious site.<\/p>\n<p>The eth.limo team stated that no user harm was detected. The project is transitioning to the Domainsure platform, which lacks an account recovery mechanism via support service, preventing a similar attack from recurring.<\/p>\n<h2 class=\"wp-block-heading\">Vercel Breach<\/h2>\n<p>Cloud provider Vercel also reported a security breach: hackers gained access to some customer credentials.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">We\u2019ve identified a security incident that involved unauthorized access to certain internal Vercel systems, impacting a limited subset of customers. Please see our security bulletin:<a href=\"https:\/\/t.co\/0S939n3qHC\">https:\/\/t.co\/0S939n3qHC<\/a><\/p>\n<p>\u2014 Vercel (@vercel) <a href=\"https:\/\/twitter.com\/vercel\/status\/2045865072074035664?ref_src=twsrc%5Etfw\">April 19, 2026<\/a><\/p><\/blockquote>\n<p> <script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>According to CEO Guillermo Rauch, the attack began with a breach of the AI tool Context.ai, used by an employee. Through it, the attackers infiltrated the corporate Google Workspace account and Vercel&#8217;s internal systems.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">Here&#8217;s my update to the broader community about the ongoing incident investigation. I want to give you the rundown of the situation directly.<\/p>\n<p>A Vercel employee got compromised via the breach of an AI platform customer called <a href=\"https:\/\/t.co\/xksNNigVfE\">https:\/\/t.co\/xksNNigVfE<\/a> that he was using. The details\u2026<\/p>\n<p>\u2014 Guillermo Rauch (@rauchg) <a href=\"https:\/\/twitter.com\/rauchg\/status\/2045995362499076169?ref_src=twsrc%5Etfw\">April 19, 2026<\/a><\/p><\/blockquote>\n<p> <script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>Previously, a listing appeared on the hacker forum BreachForums offering Vercel data for sale at $2 million. The seller claimed access to source code and keys.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">VERCEL just got breached.<\/p>\n<p>They\u2019re selling internal DB + employee accounts + GitHub\/NPM tokens for $2M on BreachForums.<\/p>\n<p>looks like someone got early access to Claude Mythos \ud83d\udc80 <a href=\"https:\/\/t.co\/BVCDvoSHfs\">https:\/\/t.co\/BVCDvoSHfs<\/a> <a href=\"https:\/\/t.co\/6bJ7Sx9O5M\">pic.twitter.com\/6bJ7Sx9O5M<\/a><\/p>\n<p>\u2014 shirish (@shiri_shh) <a href=\"https:\/\/twitter.com\/shiri_shh\/status\/2045883344324640817?ref_src=twsrc%5Etfw\">April 19, 2026<\/a><\/p><\/blockquote>\n<p> <script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>The company&#8217;s management urged clients to change their credentials and monitor activity in their environments. Rauch emphasized that the infrastructure of open projects, including Next.js, was not affected.<\/p>\n<p>Earlier, on April 1, the DeFi platform Drift Protocol on Solana <a href=\"https:\/\/forklog.com\/en\/news\/drift-protocol-on-solana-loses-280m\">was hacked<\/a>, with the attacker extracting at least $280 million.\u00a0<\/p>\n<p>On April 17, the liquid <a href=\"https:\/\/forklog.com\/en\/news\/what-is-restaking-and-how-to-make-money-from-it\">restaking<\/a> protocol Kelp <a href=\"http:\/\/forklog.com\/news\/protokol-kelp-lishilsya-293-mln-posle-ataki-na-krosschejn-most\/\">lost<\/a> $293 million following an incident with a cross-chain bridge.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The Ethereum Name Service gateway eth.limo has released a report on a security incident. The domain was compromised due to an attack on the registrar easyDNS.<\/p>\n","protected":false},"author":1,"featured_media":96314,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"select":"1","news_style_id":"1","cryptorium_level":"","_short_excerpt_text":"Cloud provider Vercel also reported a breach compromising user data.","creation_source":"","_metatest_mainpost_news_update":false,"footnotes":""},"categories":[3],"tags":[44,1111],"class_list":["post-96313","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news-and-analysis","tag-cybercrime","tag-cybersecurity"],"aioseo_notices":[],"amp_enabled":true,"views":"10","promo_type":"1","layout_type":"1","short_excerpt":"Cloud provider Vercel also reported a breach compromising user data.","is_update":"","_links":{"self":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/96313","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/comments?post=96313"}],"version-history":[{"count":1,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/96313\/revisions"}],"predecessor-version":[{"id":96315,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/96313\/revisions\/96315"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media\/96314"}],"wp:attachment":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media?parent=96313"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/categories?post=96313"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/tags?post=96313"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}