Ethereum co-founder Vitalik Buterin issued a public warning on April 18, urging everyone to stop visiting eth.limo URLs immediately. The reason? A serious DNS registrar attack had just handed an attacker control over one of the most widely used ENS gateways on the web.
The eth.limo team confirmed the breach shortly after Buterin’s post, saying its domain had been hijacked and that it was actively working with all involved parties to resolve the situation.
What eth.limo Does and Why This Hurts
If you’ve ever typed a .eth address into your browser and actually landed on a website, there’s a good chance eth.limo made that happen. It’s a free, open-source gateway that translates Ethereum Name Service (ENS) names into standard HTTPS URLs. That way, anyone can browse decentralized websites without running their own IPFS node.
It’s a simple concept, but it carries a lot of weight. Thousands of ENS-based websites rely on eth.limo as their connection to the regular web.
So when an attacker breaks in, the damage potential is enormous.
How the Attack Worked
The attacker didn’t break into ENS itself. Instead, they targeted something far more traditional: eth.limo’s domain registrar account.
Once inside, they gained control of the wildcard *.eth.limo domain. That means every single eth.limo subdomain could be redirected to pages of the attacker’s choosing, potentially serving up phishing pages or malware to unsuspecting visitors.
Buterin shared a direct IPFS link to his personal blog as a safe workaround and asked users to hold off on any eth.limo browsing until the team issues an official all-clear.
“The kind people at @eth_limo have warned me that there has been an attack on their DNS registrar,” Buterin wrote. “So please do not visit vitalik.eth.limo or other eth.limo pages until they confirm that things are back to normal.”
The Centralized Problem Hiding Inside Web3
Here’s the uncomfortable truth this attack puts on full display. ENS records and IPFS content are decentralized. Neither was compromised in this attack. But the DNS layer connecting them to everyday browsers still runs through centralized registrars.
That’s a real weak spot. And it’s been exploited before.
DeFi protocols Cream Finance and Aerodrome both suffered registrar-level compromises in previous incidents. The pattern keeps repeating because the fix isn’t simple. You can decentralize the content and the naming system, but you still need a traditional DNS registrar to make it accessible in regular browsers. That registrar is a single point of failure.
Crypto phishing losses exceeded $4 billion in 2025, with frontend hijacks becoming one of the most common attack vectors across the industry. This eth.limo incident fits squarely into that growing trend.
No Confirmed Losses Yet
As of the time of writing, no user fund losses have been confirmed. The eth.limo team had not yet issued an all-clear, and all *.eth.limo URLs should still be considered unsafe to visit.
If you need to access ENS-hosted content right now, look for direct IPFS links or alternative gateways until the eth.limo team confirms the domain is fully back under their control.
This situation is still developing. The smart move is to wait it out.