163 Brands Hijacked Through Abandoned DNS Delegations: Inside the Borrowed Trust Campaign

163 organizations across more than 30 countries had gambling content served under their own trusted domain names, with valid TLS certificates, clean browser padlocks, and no security alert firing anywhere. Federal government agencies, national healthcare systems, financial institutions, critical infrastructure operators, and major universities were all affected. Some of them had been exposed for over six years.

The attackers didn't breach a single firewall. They didn't exploit an application vulnerability. They didn't phish anyone. They simply claimed DNS infrastructure that these organizations had abandoned and forgotten to clean up.

This is the "Borrowed Trust" campaign, documented by Cyble Research and Intelligence Labs in June 2026. It's one of the clearest, largest-scale demonstrations to date of how abandoned DNS delegations turn into a systematic attack surface. And it's a textbook example of exactly the risk we've written about before: dangling DNS records, exploited at industrial scale.

What Happened

The campaign was an SEO poisoning operation. The attackers wanted to rank Thai-language online gambling sites in search results, and to do it, they needed domains with strong reputation and authority. Rather than building that reputation themselves, they borrowed it from legitimate enterprises by hijacking abandoned subdomains.