Porn and Scams Hijack Top University Domains: How Lax Maintenance Fueled a Cyberattack

Breaking: University Websites Serving Explicit Porn and Malware

Cybercriminals have exploited sloppy record-keeping at some of the world's most prestigious universities, hijacking subdomains to serve hardcore pornography, scam pages, and malicious software. The attack targets official domains of UC Berkeley, Columbia University, and Washington University in St. Louis, among others.

Researcher Alex Shakhov, founder of SH Consulting, discovered the breach after noticing rogue subdomains like hXXps://causal.stat.berkeley.edu/ymy/video/xxx-porn-girl-and-boy-ej5210.html and hXXps://conversion-dev.svc.cul.columbia[.]edu/brazzers-gym-porn. The pages display explicit adult material or—in at least one case—a fake virus alert demanding payment for nonexistent malware removal.

Extent of the Attack: Hundreds of Subdomains, 34 Universities

Shakhov identified hundreds of hijacked subdomains across at least 34 universities. Google search results list thousands of compromised pages. The group behind the operation—tracked by a separate researcher as Hazy Hawk—is systematically exploiting a common clerical oversight.

“When universities commission a subdomain, they create a CNAME record linking it to a canonical domain. When the subdomain is decommissioned, the record often stays active. Attackers seize that dangling record and point it to their own servers.” – Alex Shakhov, founder, SH Consulting

Background: How the Hijacking Works

University administrators frequently create subdomains for short-term projects—conference portals, research repositories, or internal tools. When the project ends, they often forget to delete the CNAME record. Scammers then register the abandoned domain, effectively inheriting the university's trusted subdomain name.

The consequences go beyond reputation damage. Stolen subdomains can host phishing pages, distribute malware, or—as seen here—serve explicit content that misleads visitors and undermines institutional credibility.

What This Means for Universities and Users

For affected universities, the immediate risk is erosion of trust. Students, faculty, and visitors who land on these pages may assume the institution endorses the content or—worse—fall for scams. The long-term threat includes potential blacklisting by search engines and browsers, harming legitimate academic resources.

Users should exercise caution when clicking links that appear to be from .edu domains but lead to suspicious content. Always verify the full URL, especially on subdomains. Universities must implement automated audits to detect and remove orphaned DNS records before attackers can exploit them.

Affected Institutions (Partial List)

• University of California, Berkeley (berkeley.edu)
• Columbia University (columbia.edu)
• Washington University in St. Louis (washu.edu)

What Universities Should Do Now

1. Conduct a full audit of all subdomains and DNS records.
2. Automatically expire CNAME records after project end dates.
3. Monitor subdomain registrations for unauthorized new entries.

The attack highlights a systemic issue: shoddy housekeeping at elite institutions creates openings for cybercriminals. In the words of Shakhov, “This is a preventable vulnerability—it’s a matter of proper hygiene.”