Porn and Scams Hijack Top University Domains: How Lax Maintenance Fueled a Cyberattack

By

Breaking: University Websites Serving Explicit Porn and Malware

Cybercriminals have exploited sloppy record-keeping at some of the world's most prestigious universities, hijacking subdomains to serve hardcore pornography, scam pages, and malicious software. The attack targets official domains of UC Berkeley, Columbia University, and Washington University in St. Louis, among others.

Researcher Alex Shakhov, founder of SH Consulting, discovered the breach after noticing rogue subdomains like hXXps://causal.stat.berkeley.edu/ymy/video/xxx-porn-girl-and-boy-ej5210.html and hXXps://conversion-dev.svc.cul.columbia[.]edu/brazzers-gym-porn. The pages display explicit adult material or—in at least one case—a fake virus alert demanding payment for nonexistent malware removal.

Extent of the Attack: Hundreds of Subdomains, 34 Universities

Shakhov identified hundreds of hijacked subdomains across at least 34 universities. Google search results list thousands of compromised pages. The group behind the operation—tracked by a separate researcher as Hazy Hawk—is systematically exploiting a common clerical oversight.

“When universities commission a subdomain, they create a CNAME record linking it to a canonical domain. When the subdomain is decommissioned, the record often stays active. Attackers seize that dangling record and point it to their own servers.” – Alex Shakhov, founder, SH Consulting

Background: How the Hijacking Works

University administrators frequently create subdomains for short-term projects—conference portals, research repositories, or internal tools. When the project ends, they often forget to delete the CNAME record. Scammers then register the abandoned domain, effectively inheriting the university's trusted subdomain name.

The consequences go beyond reputation damage. Stolen subdomains can host phishing pages, distribute malware, or—as seen here—serve explicit content that misleads visitors and undermines institutional credibility.

What This Means for Universities and Users

For affected universities, the immediate risk is erosion of trust. Students, faculty, and visitors who land on these pages may assume the institution endorses the content or—worse—fall for scams. The long-term threat includes potential blacklisting by search engines and browsers, harming legitimate academic resources.

Users should exercise caution when clicking links that appear to be from .edu domains but lead to suspicious content. Always verify the full URL, especially on subdomains. Universities must implement automated audits to detect and remove orphaned DNS records before attackers can exploit them.

Affected Institutions (Partial List)

• University of California, Berkeley (berkeley.edu)
• Columbia University (columbia.edu)
• Washington University in St. Louis (washu.edu)

What Universities Should Do Now

1. Conduct a full audit of all subdomains and DNS records.
2. Automatically expire CNAME records after project end dates.
3. Monitor subdomain registrations for unauthorized new entries.

The attack highlights a systemic issue: shoddy housekeeping at elite institutions creates openings for cybercriminals. In the words of Shakhov, “This is a preventable vulnerability—it’s a matter of proper hygiene.”

Related Articles

• Understanding Ransomware Trends: A Step-by-Step Guide to Interpreting Q1 2026 Data
• Juno Snaps Rare Close-Up of Jupiter's Tiny Moon Thebe
• Psyche Probe Snaps Stunning View of Mars Before Gravity Assist Flyby
• Exploring RNA Interactions: A Novel Database for MicroRNA and Messenger RNA Modeling
• 10 Groundbreaking Facts About NASA and Microchip's Next-Generation Spaceflight Processor
• 5 Key Takeaways from Google's Icon Overhaul, Fitbit Air, and Samsung Glasses
• Climate Research 'Mismatch' Threatens Conservation: Biologists Urge Shift to Organism-Centric View
• How to Forge a Post-Fossil Fuel Future: A Step-by-Step Guide Based on the Colombia Summit