Hundreds of subdomains. 34 universities. Explicit porn popping up on Google searches for the likes of Berkeley and Columbia.
That’s the tally from researcher Alex Shakhov, who uncovered scammers turning elite .edu domains into digital red-light districts.
Shoddy record-keeping doesn’t begin to cover it.
Hijacking a University’s Good Name
Scammers—linked to the Hazy Hawk group—aren’t cracking vaults or phishing deans. They’re just grabbing abandoned DNS crumbs.
Site admins spin up a subdomain, say provost.washu.edu, with a CNAME record pointing to some canonical domain. Project ends. Subdomain gets decommissioned. But the record? Left dangling like yesterday’s piñata string.
Enter the opportunists. They register the forgotten canonical domain, and boom—now they’ve got a shiny .edu subdomain serving Brazzers gym porn or scam PDFs claiming your PC’s infected.
Shakhov nails it: “When they commission a subdomain such as provost.washu.edu, they create a CNAME record, which assigns a subdomain to a ‘canonical’ domain. When the subdomain is eventually decommissioned—something that happens frequently for various reasons—the record is never removed.”
“Scammers like Hazy Hawk then swoop in by hijacking the old record. With that, they have now hijacked that university’s subdomain.”
Google’s algorithm does the rest, ranking these hijacks high because, hey, .edu domains scream authority.
Thousands of pages indexed. Casual searches for stats or causal inference? Straight to xxx-porn-girl-and-boy-ej5210.html on causal.stat.berkeley.edu.
Classy.
Why Does This Matter for University Reputations?
Universities trade on prestige—centuries of it, bottled into domain names that signal trust. Now? Their subdomains peddle fake malware alerts and explicit videos.
One example: hXXps://conversion-dev.svc.cul.columbia[.]edu/brazzers-gym-porn. Columbia’s engineering vibe, subverted.
Or hXXps://provost.washu.edu/app/uploads/formidable/6/dmkcsex-10.pdf—a provost office file path, but it’s porn.
Parents googling admissions? Donors checking provost updates? They land here instead. Reputational shrapnel.
And it’s not isolated. Berkeley’s stat department, Columbia’s services, WashU’s admin tools—all tainted. Shakhov counted at least 34 institutions, with Google surfacing thousands of poisoned results.
This isn’t sophisticated cybercrime. It’s laziness weaponized. Admins forget to delete DNS entries after decommissioning servers or campaigns—routine churn in any large IT shop. But universities, with their sprawling departments and rotating staff, amplify the mess.
Here’s the acerbic truth: these places train the world’s elite, yet can’t delete a damn DNS record. It’s like leaving your Ferrari keys in the ignition during a crime wave.
The Hazy Hawk Connection
Separate researchers tie this to Hazy Hawk, a group known for domain hijacks. Not state actors or elite hackers—just grifters who sniff out expired or abandoned registrations.
They squat on the canonical names pointed to by those stale CNAMEs. Legal, cheap, effective. Universities wake up to their subdomains resolving to sleaze.
Shakhov, founder of SH Consulting, spotted the pattern across berkeley.edu, columbia.edu, washu.edu, and dozens more. His report should be a wake-up call, but expect the usual: press releases blaming ‘bad actors’ while IT teams scramble.
Corporate spin incoming.
Universities won’t admit the root cause—systemic sloppiness in DNS hygiene. Easier to cry victim.
Is This Just Universities or Everyone’s Problem?
Don’t kid yourself. Every org with subdomains faces this. E-commerce sites, banks, even tech giants have dangling DNS.
But universities hurt extra because .edu boosts SEO. Scammers love the halo effect—queries for ‘causal statistics Berkeley’ pipe traffic to porn or scams.
One unique insight: this echoes the 2010s subdomain takeover boom, when tools like Sublist3r exposed thousands of takeovers on AWS S3 buckets. Back then, it was cloud misconfigs; now, it’s DNS drift. History repeats because no one learns.
Bold prediction: without automated DNS audits—tools scanning for dangling CNAMEs— we’ll see nation-states join the party, using .edu for phishing credential farms.
What Universities Must Do Now
Delete the records. All of them.
Audit every CNAME. Tools like dnsdumpster or Subjack can flag orphans fast.
Implement policy: no decommissioning without DNS cleanup. Script it. Automate.
Google’s safe browsing helps, but deindexing takes time—scammers rotate anyway.
And train staff. Rotating admins mean forgotten processes. Mandate checklists.
Universities spend millions on prestige branding. Pocket change on DNS hygiene could save face.
Pathetic that it isn’t automatic.
The Broader Security Lesson
This exposes a truth tech loves to ignore: most breaches aren’t zero-days or APTs. They’re config errors, forgotten keys, lazy cleanup.
Shakhov’s find reminds us—opsec starts with basics. Elite domains don’t immunize against stupidity.
Scammers thrive on it. And Google’s index keeps the party going.
Fix your DNS, eggheads. Or keep serving porn with your syllabi.
🧬 Related Insights
- Read more: Kasetto Cleans Up AI Agent Mess with Rust-Powered Declarative Magic
- Read more: What is a Package Manager?
Frequently Asked Questions
What causes university subdomains to serve porn?
Forgotten CNAME DNS records after decommissioning subdomains, allowing scammers to register the pointed-to domains and hijack traffic.
Which universities were hit by DNS subdomain hijacks?
At least 34, including UC Berkeley (berkeley.edu), Columbia (columbia.edu), and Washington University in St. Louis (washu.edu), with hundreds of subdomains affected.
How do scammers exploit dangling DNS records?
They register the canonical domain in a stale CNAME, gaining control of the university’s subdomain for porn, scams, or worse—all boosted by .edu SEO.
