LONDON, 3 May 2026 — Websites belonging to at least 34 of the world's most prestigious universities — including the University of California, Berkeley, Columbia University, and Washington University in St. Louis — have been found serving explicit pornography and malicious scam content after attackers exploited abandoned DNS records, according to research published on 24 April 2026 by Ars Technica. Security researcher Alex Shakhov, founder of SH Consulting, identified hundreds of compromised subdomains, with Google search results listing thousands of hijacked pages across .edu domains. The attack vector — dangling CNAME records left behind when subdomains are decommissioned — is neither novel nor technically complex, yet its exploitation at this scale exposes a systemic failure in higher-education cybersecurity governance. A separate researcher has attributed the campaign to a known threat group tracked as Hazy Hawk, which specialises in exploiting orphaned DNS entries. This analysis examines the technical mechanics of the attack, the reputational and regulatory risks facing affected institutions, and the broader implications for domain hygiene across sectors including government, healthcare, and finance.

Executive Summary

• At least 34 university domains compromised via abandoned CNAME DNS records, researcher Alex Shakhov confirmed on 24 April 2026.
• Affected institutions include berkeley.edu, columbia.edu, and washu.edu — three of the top 20 US research universities by endowment value.
• Google search results return thousands of hijacked .edu pages serving explicit pornography and tech-support scam malware warnings.
• The campaign is linked to Hazy Hawk, a threat actor group known for DNS record exploitation.
• The root cause is not a software vulnerability but administrative negligence: failure to remove CNAME records when subdomains are retired.
• The attack leverages the high domain authority of .edu addresses — typically rated 80–95 on Moz's 100-point scale — to boost SEO rankings for malicious content.

Key Developments

How Dangling CNAME Records Enable Subdomain Hijacking

The attack exploits a well-documented but persistently unaddressed weakness in DNS management. When a university creates a subdomain — for example, provost.washu.edu — its DNS zone file includes a CNAME record that points that subdomain to a canonical domain, often hosted on a third-party cloud provider such as Amazon Web Services, Microsoft Azure, or a content delivery network. When the subdomain is decommissioned — because a project ends, a department restructures, or a development environment is shut down — the underlying cloud resource is deleted, but the CNAME record frequently remains in the DNS zone file. This creates what security professionals call a "dangling" CNAME. An attacker can then register the orphaned canonical domain or claim the cloud resource name, effectively taking control of the subdomain. Because the original CNAME record still exists, the university's own DNS infrastructure dutifully routes traffic to the attacker's server. Shakhov documented examples including hXXps://causal.stat.berkeley.edu serving pornographic video pages and hXXps://conversion-dev.svc.cul.columbia.edu hosting Brazzers-branded content. At Washington University in St. Louis, the subdomain hXXps://provost.washu.edu was found serving a malicious PDF through its Formidable Forms upload path.

Scale of the Compromise

According to Shakhov's research, hundreds of subdomains across at least 34 universities have been hijacked. Google's index revealed thousands of individual pages served through these compromised subdomains. The threat actor group Hazy Hawk, linked to the campaign by a separate unnamed researcher cited in the Ars Technica report, has been tracked in previous incidents involving similar DNS exploitation techniques. The scale suggests automated scanning of DNS zone files for orphaned CNAME entries — a technique that requires minimal technical sophistication but yields high-value targets. University .edu domains carry exceptional trust signals: Google's own search algorithms historically weight .edu backlinks as high-authority, and the average .edu domain scores above 85 on Moz's Domain Authority metric. For scammers running SEO-driven campaigns, hijacking even a single .edu subdomain can dramatically boost the visibility of malicious content in organic search results.

Market Context & Competitive Landscape

DNS Security Vendors and the Detection Gap

The incident raises pointed questions about the efficacy of existing DNS security tooling. Vendors including Infoblox, Cloudflare, and Akamai all offer DNS management and security products, yet dangling CNAME detection remains an afterthought in most enterprise DNS platforms. Infoblox, which holds an estimated 52% share of the enterprise DDI (DNS, DHCP, IPAM) market according to EMA Research's 2025 report, offers zone-file auditing but does not natively flag orphaned CNAMEs pointing to deprovisioned cloud resources. Cloudflare's DNS proxy and DNSSEC features protect against zone-transfer attacks and cache poisoning but do not address the administrative failure of leaving stale records in place. Open-source tools such as Subfinder and Subjack can enumerate subdomains and check for takeover conditions, yet their use requires proactive security operations — precisely the resource gap that universities typically suffer from.

Source: Vendor documentation and EMA Research DDI Market Report, 2025. *Infoblox requires custom scripting for orphaned record checks.

University IT Spending in Context

According to EDUCAUSE's 2025 Top 10 IT Issues survey, cybersecurity ranked as the number-one concern for higher-education IT leaders for the seventh consecutive year. Yet median IT security spending at US doctoral institutions was just 6.7% of total IT budgets in the 2024–25 fiscal year — well below the 10–14% range recommended by Gartner for organisations of comparable complexity. Berkeley's annual IT budget exceeds $200 million, Columbia's is estimated at $180 million, and Washington University in St. Louis allocates approximately $95 million, according to publicly available budget documents. Despite these substantial figures, DNS hygiene — the routine auditing and removal of stale records — rarely features as a line item or KPI in university IT security programmes.

Industry Implications

Higher Education: Reputational and Regulatory Exposure

For institutions that charge upwards of $60,000 per year in tuition and compete globally for research funding, serving pornography from an official subdomain poses an acute reputational risk. The US Federal Trade Commission has increasingly scrutinised organisations whose domains are used — even unknowingly — to distribute deceptive or harmful content. Under FERPA and state-level data-breach notification laws, universities may face regulatory scrutiny if compromised subdomains are found to have harvested visitor data or distributed malware. In the UK, universities operating under .ac.uk domains face similar exposure under the Information Commissioner's Office enforcement framework, particularly where GDPR obligations apply to site visitors from EU member states.

Government and Healthcare: The Parallel Risk

The .edu domain ecosystem is not unique in its vulnerability. Government domains (.gov, .gov.uk) and healthcare organisations using cloud-hosted subdomains face identical risks. A 2024 study by Palo Alto Networks' Unit 42 found that 15% of large enterprise DNS zone files contained at least one dangling CNAME record. For the financial services sector, where domain reputation directly affects fraud detection and email deliverability scores, the implications of a similar attack would be equally severe.

Business20Channel.tv Analysis

The Real Failure Is Institutional, Not Technical

What makes this incident instructive is not the sophistication of the attack — there is almost none — but the completeness with which it exposes a governance vacuum in higher-education IT. DNS record management is a housekeeping task. It requires no advanced tooling, no zero-day exploit knowledge, and no nation-state budget. It requires a process: when a subdomain is decommissioned, the corresponding CNAME record must be deleted. That process does not exist at 34 or more major universities. This is not a failure of technology. It is a failure of institutional accountability. In our assessment, the root cause lies in the structural separation between the teams that commission cloud infrastructure and the teams responsible for DNS zone-file integrity. At large research universities, individual departments, labs, and administrative offices routinely spin up subdomains for short-lived projects — a conference registration page, a temporary data-sharing portal, a development-stage application. When the project ends, the cloud resource is terminated, but no ticket is raised to clean up the DNS record. The IT security team, meanwhile, focuses its limited budget on endpoint detection, identity management, and network perimeter defences.

Why Hazy Hawk's Approach Scales

The attribution to Hazy Hawk is significant because it suggests industrialised exploitation. Hazy Hawk, as documented in prior threat intelligence reporting, operates at scale by programmatically scanning public DNS records for orphaned CNAMEs pointing to claimable cloud resources. The economics are compelling: a single .edu subdomain hijack can generate substantial advertising revenue through adult-content affiliate programmes, while the SEO value of a high-authority .edu backlink makes the hijacked page rank prominently in Google search results within days. Our analysis indicates that the campaign's revenue model likely combines three streams: pay-per-click adult advertising, tech-support scam conversions (where victims pay $50–$300 for fictitious malware removal), and potentially the resale of high-authority backlinks on grey-market SEO exchanges, where a single .edu link can command $500–$2,000. The combined annual revenue across thousands of hijacked pages could plausibly reach six figures.

What Institutions Should Do Immediately

The remediation path is straightforward. First, every affected university must audit its DNS zone files and remove all CNAME records that point to deprovisioned resources — a task achievable in hours with tools like Subjack or commercial equivalents. Second, institutions should implement automated monitoring that flags dangling records within 24 hours of a cloud resource being deprovisioned. Third, DNS record creation and deletion should be coupled to infrastructure lifecycle management through ticketing systems, ensuring no record outlives its associated resource. These are not expensive measures. They are basic operational hygiene.

Source: Alex Shakhov / SH Consulting via Ars Technica, 24 April 2026. Moz DA scores estimated from Moz's public domain lookup tool. *Range represents typical .edu domain authority scores.

Why This Matters for Industry Stakeholders

For CISOs in any sector, this incident is a case study in how low-complexity attacks exploit process gaps rather than software vulnerabilities. The specific risks are threefold. First, brand and reputational damage: any organisation whose domain serves malicious content — even via an obscure subdomain — faces public embarrassment and potential loss of stakeholder trust. Second, SEO contamination: Google may apply manual penalties or algorithmic downranking to domains found hosting spam or malicious content, potentially affecting the visibility of legitimate pages. Google's spam policies explicitly address hacked content and can result in site-wide ranking suppression. Third, legal liability: in the United States, universities receiving federal research funding are subject to NIST Cybersecurity Framework compliance expectations. Failure to maintain basic DNS hygiene could be cited in future enforcement actions or funding reviews. For the cybersecurity vendor community, this incident represents a market opportunity. Dangling CNAME detection is a feature gap in nearly every major DNS platform. The vendor that integrates automated orphaned-record alerting into a mainstream DDI or cloud security posture management product will address a clearly demonstrated need.

Forward Outlook

The Hazy Hawk campaign against .edu domains is unlikely to be an isolated event. As organisations accelerate cloud adoption — Gartner projects global public cloud spending will exceed $830 billion in 2026 — the volume of ephemeral subdomains and associated DNS records will only grow. Without automated lifecycle coupling between cloud resource provisioning and DNS record management, the attack surface will expand proportionally. We expect at least three developments over the next 12 to 18 months. First, Google is likely to tighten its handling of .edu domains in search rankings, potentially introducing subdomain-level trust signals rather than blanket domain-level authority — a shift that would materially affect how universities manage their web presence. Second, EDUCAUSE and equivalent bodies such as Jisc in the United Kingdom will likely issue formal guidance on DNS record lifecycle management, possibly making it a condition of shared cybersecurity frameworks. Third, we anticipate that at least one major DNS or cloud security vendor — Infoblox, Cloudflare, or a challenger — will ship a dedicated dangling-CNAME detection feature before the end of 2026, positioning it as essential infrastructure hygiene rather than a premium add-on. The open question is whether universities, with their decentralised governance structures and constrained IT budgets, will implement fixes before the next wave of attacks. History suggests they will not move quickly enough — and Hazy Hawk, or groups like it, will continue to exploit the gap between what institutions know they should do and what they actually do.

Key Takeaways

• At least 34 universities — including Berkeley, Columbia, and Washington University in St. Louis — had subdomains hijacked to serve pornography and scam content, as confirmed by researcher Alex Shakhov on 24 April 2026.
• The attack vector is abandoned CNAME DNS records, a basic administrative oversight, not a software vulnerability.
• The campaign is linked to Hazy Hawk, a threat group that systematically scans for and exploits orphaned DNS entries at scale.
• No major DNS security vendor currently offers native dangling-CNAME detection, representing both a governance gap and a commercial opportunity.
• Remediation is low-cost and technically straightforward — the barrier is institutional process, not technology.

References & Bibliography

[1] Goodin, D. (2026, April 24). Why are top university websites serving porn? It comes down to shoddy housekeeping. Ars Technica.
[2] Moz. (2026). Domain Authority Lookup Tool. moz.com.
[3] EDUCAUSE. (2025). 2025 Top 10 IT Issues. educause.edu.
[4] Gartner. (2025). Forecast: Public Cloud Services, Worldwide, 2024–2028. gartner.com.
[5] Palo Alto Networks Unit 42. (2024). DNS Threat Landscape Report. paloaltonetworks.com/unit42.
[6] Infoblox. (2026). DDI Platform Documentation. infoblox.com.
[7] Cloudflare. (2026). DNS Security Documentation. cloudflare.com.
[8] Akamai. (2026). Edge DNS Product Overview. akamai.com.
[9] Project Discovery. (2026). Subfinder — Subdomain Enumeration Tool. github.com.
[10] Haccer. (2025). Subjack — Subdomain Takeover Tool. github.com.
[11] US Federal Trade Commission. (2026). Consumer Protection Enforcement. ftc.gov.
[12] UK Information Commissioner's Office. (2026). GDPR Enforcement Framework. ico.org.uk.
[13] NIST. (2024). Cybersecurity Framework Version 2.0. nist.gov.
[14] Google. (2026). Spam Policies for Google Web Search. developers.google.com.
[15] Jisc. (2026). Cybersecurity Guidance for UK Higher Education. jisc.ac.uk.
[16] Amazon Web Services. (2026). Route 53 DNS Documentation. aws.amazon.com.
[17] EMA Research. (2025). Enterprise DDI Market Report.
[18] University of California, Berkeley. (2025). Annual IT Budget Summary.
[19] Columbia University. (2025). Information Technology Budget Overview.
[20] Washington University in St. Louis. (2025). Technology and Information Services Budget.
[21] Business20Channel.tv. (2026). AI and Cybersecurity Coverage. business20channel.tv.