Digital Squatters in the Ivory Tower: How “Hazy Hawk” Hijacked Harvard, MIT, and Stanford Subdomains

A network of American universities has become ensnared in a pervasive assault that targeted not their instructional infrastructures directly, but rather their digital prestige. Adversaries commandeered dozens of abandoned subdomains within the .edu zone, populating them with explicit spam which Google subsequently indexed under the names of the nation’s most venerable academic institutions.

Alex Shakhov, founder of SH Consulting, unveiled the details of this malicious campaign. In early April 2026, he identified a coordinated hijacking of subdomains affecting at least thirty-four institutions, including MIT, Harvard, Stanford, UC Berkeley, Columbia, the University of Chicago, and Johns Hopkins University. According to Shakhov, the attackers exploited legacy DNS records that continued to point toward external platforms long after projects had concluded or accounts had been purged.

The mechanics of the stratagem were remarkably straightforward. University departments frequently established websites on third-party services, linking subdomains via CNAME records, yet failed to excise these entries from the DNS upon the site’s retirement. Once the external resource became derelict, the bad actors simply registered a new account with the requisite identifier, thereby assuming total sovereignty over the university-branded address. Shakhov cited a University of Chicago subdomain that remained tethered to an obsolete WP Engine hosting instance as a prime example.

These usurped addresses were utilized to host pages saturated with pornographic material and search engine spam. Owing to the inherent authority associated with .edu domains, this content rapidly ascended through Google’s search rankings, appearing significantly higher than typical dubious sites. According to Infoblox, a parallel methodology was previously employed by the threat actor Hazy Hawk, a collective notorious for targeting governmental entities like the CDC and global consultancies such as Deloitte and PricewaterhouseCoopers.

Renée Burton, Vice President of Threat Intelligence at Infoblox, corroborated that the current campaign bears the distinctive hallmarks of Hazy Hawk. The group reportedly spends years scouting for “dangling” DNS records, temporarily utilizing hijacked subdomains to divert traffic through illicit affiliate networks before transitioning to new targets.

The crisis has transcended the academic sphere. Following Shakhov’s disclosure, specialists identified a similar vulnerability within the Department of Defense Education Activity (DoDEA), the federal entity overseeing schools for military families. Shakhov attributes the sheer scale of these incidents to inadequate subdomain auditing and the absence of DNS sanitation protocols post-project termination. In the decentralized collegiate environment—where departments, laboratories, and student organizations independently launch sites—orphaned records can persist for years, metamorphosing into ideal entry points for subsequent incursions.