Steadvar — News without the noise

Privacy · Terms · About

© 2026 Steadvar. All rights reserved.

University Subdomains Hijacked to Serve Malware and Explicit Content

TechnologyEducation4/24/2026
Share

Similar Articles

Canvas Learning Platform Restored After Cyberattack Disrupts Finals

EducationTechnology5/9/2026

Daemon Tools Software Compromised by Monthlong Supply-Chain Attack

TechnologyCrime5/5/2026

Security Firms Checkmarx and Bitwarden Affected by Supply Chain Attack

TechnologyBusiness4/29/2026

Linux Vulnerability Dirty Frag Exploit Leaked, Hackers Testing in Wild

TechnologyCrime5/11/2026

AI-Generated Reports Overwhelm Bug Bounty Programs, Prompting Some Suspensions

TechnologyBusiness1d ago

Researchers have discovered that hundreds of decommissioned subdomains belonging to prestigious universities are being hijacked to serve explicit pornography and malicious scam sites. The exploitation occurs when administrators fail to remove outdated technical records, allowing attackers to take control. This poses a direct security risk to anyone visiting these seemingly legitimate university web addresses.

Facts First

  • Hundreds of subdomains for at least 34 universities are being abused, including those of UC Berkeley, Columbia, and Washington University in St. Louis.
  • Hijacked pages serve explicit pornography and scam sites that falsely claim a visitor's computer is infected.
  • Google search results list thousands of hijacked pages, with one Columbia subdomain redirecting to a hijacked UC Berkeley site.
  • The exploitation occurs due to outdated CNAME records left after a subdomain is decommissioned.
  • A separate researcher has linked the scammers to a known group tracked as Hazy Hawk.

What Happened

Security researcher Alex Shakhov found that decommissioned subdomains of several universities are serving explicit pornography and malicious content. The affected domains include berkeley.edu (University of California, Berkeley), columbia.edu (Columbia University), and washu.edu (Washington University in St. Louis). Specific hijacked subdomains redirect to pornographic videos or scam sites that falsely claim a visitor's computer is infected and advise paying a fee. Shakhov stated that hundreds of subdomains for at least 34 universities are being abused, with Google search results listing thousands of hijacked pages. One hijacked Columbia subdomain redirects to a site hijacked by a UC Berkeley subdomain.

Why this Matters to You

If you search for or click on a link to a university resource, you could be redirected to a malicious site without warning. This could expose you to explicit content or scams designed to steal your money by falsely claiming your computer is infected. Your trust in legitimate .edu web addresses may be compromised. The scale of the issue suggests this risk could be widespread across many educational institutions.

What's Next

University IT departments are likely to review and clean up their outdated domain records to prevent further hijacking. Visitors to university websites should remain cautious about unexpected redirects or security warnings. The involvement of a known scammer group, Hazy Hawk, suggests this campaign may continue until the vulnerable technical records are removed.

Perspectives

“
Critics of Site Administration argue that the administrators' record-keeping is "shoddy" and that the scammers were able to succeed by exploiting "what amounts to a clerical error by site administrators of the affected universities".
“
Concerned Observers highlight the reputational damage caused by the fraud, noting that the scammers are effectively "Hijacking a university's good name".