Researchers Hijack Hacker Domain Using Name Server Delegation

DNS delegation is a foundational element of internet routing, yet many organizations overlook the security implications of misconfigured nameserver records. When a domain points to external nameservers that lack authoritative data—a condition known as a "lame delegation"—the domain becomes a "sitting duck" that can be claimed by any party with access to the registrar. Threat actors have long leveraged this weakness to host malware or run fraudulent campaigns, but the Infoblox study demonstrates that defenders can also turn the technique into a powerful intelligence‑gathering tool.

By seizing control of abandoned malicious domains, Infoblox’s team positioned itself alongside the adversary’s infrastructure, receiving duplicate push‑notification payloads in cleartext. Over a two‑week window the operation harvested 57 million logs, revealing a global advertising network delivering deceptive content in more than 60 languages. The network’s economics were starkly inefficient—only $350 in daily revenue and a click‑through rate of roughly one in 60,000—yet it persisted, bombarding victims with an average of 140 notifications per day. The bulk of traffic originated from South Asia, highlighting regional exposure to low‑cost, high‑volume scam campaigns.

The broader lesson for enterprises is clear: DNS hygiene is no longer a back‑office concern but a frontline security control. Regular audits of nameserver delegations, verification that external servers host complete zone data, and rapid remediation of abandoned domains can eliminate the “sitting duck” condition. Organizations should also monitor for unexpected traffic spikes on domains they no longer actively use, as such anomalies often signal abuse. Strengthening DNS governance not only thwarts attackers from hijacking domains but also prevents defenders from needing to resort to unconventional interception tactics.