Breaking: Top University Websites Infiltrated with Explicit Content
Subdomains of some of the world's most prestigious universities are currently being exploited to serve explicit pornography and malicious scam pages. A new investigation reveals that 34 institutions, including UC Berkeley, Columbia University, and Washington University in St. Louis, have inadvertently allowed scammers to hijack thousands of their subdomains.
Researcher Alex Shakhov discovered that hijacked URLs such as https://causal.stat.berkeley.edu/ymy/video/xxx-porn-girl-and-boy-ej5210.html and https://conversion-dev.svc.cul.columbia.edu/brazzers-gym-porn redirect users to hardcore porn. In at least one case, a subdomain of Washington University leads to a fake malware alert that pressures victims to pay a removal fee.
How the Hijacking Works
According to Shakhov, the scammers—linked to a group known as Hazy Hawk—are exploiting a basic administrative oversight. When universities create subdomains, they set up a CNAME record that points the subdomain to another domain. When the subdomain is decommissioned, the record often remains active.
"It's a simple clerical error that they never clean up," Shakhov explained. "Hazy Hawk scans for these orphaned records and then registers the external domain they point to, instantly taking over the subdomain." The attackers then load the subdomain with porn or scam content, leveraging the university's trusted .edu reputation.
Background: A Widespread but Overlooked Vulnerability
The CNAME hijacking technique is not new, but its scale at elite universities is alarming. Shakhov found that Google's search results list thousands of such compromised pages. The affected subdomains range from academic departments to administrative tools, all now serving illicit material.
Security experts warn that the real danger extends beyond porn. "Users who stumble onto a hijacked .edu page may trust it and fall for tech support scams," noted a cybersecurity analyst familiar with the investigation. "Even a single click on a fake antivirus notification can lead to malware installation."
What This Means for Users and Universities
For website visitors, any interaction with a compromised university subdomain poses risks. The lax record-keeping creates an attack surface that can be exploited for phishing, malware distribution, and brand damage.
Universities must immediately audit their DNS records and remove orphaned CNAME entries. "This is not just about embarrassment—it's a security risk to students, faculty, and the public," Shakhov emphasized. Institutions should implement automated tools to detect and delete stale subdomain records.
- Action item: Check all .edu subdomains for abandoned CNAME records.
- Recommendation: Use DNS monitoring services to flag new hijacks within hours.
The full scope of the abuse is still emerging. Shakhov is continuing to catalog hijacked domains and expects the list to grow. "We're seeing the tip of an iceberg," he said.