Education·

From the Ivory Tower, to Putting It All on Red

How a forgotten academic conference website got re-registered, repointed at Indonesian sportsbooks, and quietly turned the reputation of every paper that ever cited it into a backlink farm.

A lot of things on the web look permanent and aren't. Academic conference websites are one of the cleanest examples of this — they're high-trust, frequently cited, and almost always abandoned within a year of the event.

This is a story about one of them, surfaced by LinkSentry on a customer site, and about why "the link is still up" doesn't mean what it used to.

A bit of background on academic conferences

Computer-science research lives or dies on a small number of high-profile annual conferences. Getting a paper accepted at one is a meaningful signal — to the field, to funders, to tenure committees, to anyone deciding whether your work is worth taking seriously. One such conference is the ACM ASIA Conference on Computer and Communications Security, known as ASIACCS, where peer-reviewed work in applied cryptography, web security, IoT, and ML security gets presented every year.

ASIACCS 2026 happens this June. Plenty of strong papers on the program. Plenty of researchers refreshing the conference website on their phones.

We've got to go back

Our story isn't about ASIACCS 2026. It's about ASIACCS 2018.

Every year, the organizers of that year's edition stand up a new website with the call for papers, the schedule, the venue, the program committee, the proceedings link. The 2018 organizers had a choice: host the site under a subdomain of one of their universities (asiaccs2018.some-school.edu) or register a standalone name. They went with the standalone option and registered asiaccs2018.org.

Here's what asiaccs2018.org looked like in 2018, according to the Internet Archive:

ASIACCS 2018 Website Archive showing broken external links and security vulnerabilities

Who's paying for that, exactly?

ASIACCS 2018 happened. The papers got presented. The community moved on.

The next year a different team stood up the 2019 site under a different name, and asiaccs2018.org started doing what every conference site eventually does: nothing in particular, while still being linked to from hundreds of papers, slide decks, blog posts, university faculty pages, and the proceedings entries on ACM's own site.

Someone had to keep paying the registration fee. For a while, somebody did. At some point — either nobody remembered who owned it, or whoever did got tired of writing the check — the domain was let to expire.

Put it all on red

When a domain expires it goes back into the pool, and within hours an automated buyer picks it up. The math is mechanical: the domain has residual trust. Hundreds of academic citations and blog references still point at it. Anyone who controls the registration inherits the traffic those citations send, and inherits the SEO weight Google has accumulated for the name over years.

So what does a researcher in 2026 see when they click a footnote link to asiaccs2018.org?

Browser showing asiaccs2018.org redirecting to an Indonesian sportsbook landing page

Indonesian betting sites. Of course.

The network trace is straightforward: the request to asiaccs2018.org returns a 301 to tastemauritius.com, which is itself a thin landing page linking out to a rotation of Indonesian sportsbook brands. The redirect is the entire point. The new owner is monetizing residual academic citations as paid traffic into a gambling-affiliate funnel.

This works two ways simultaneously:

  • Direct. A fraction of the people who follow an old footnote land on the funnel and convert. Small percentage, but the cost-per-acquisition is zero — the citations were free traffic.
  • Indirect. Search engines re-crawl asiaccs2018.org, find new outbound links, and inherit the academic-grade reputation of the original name. PageRank-style algorithms are still half the search graph, and .org domains cited by .edu and .gov pages are valuable launderable signal.

The really uncomfortable detail: the attacker can change the redirect target whenever they like. Indonesian sportsbooks today. Fake antivirus tomorrow. A credential-phishing kit next week. The domain is the asset; what it serves is whatever pays best in the moment.

How widespread is this

It's the rule, not the exception. Pick any organization with more than five years of blog history and audit their outbound .org and .edu links. You'll find at least one. Usually several. The bigger and older the site, the worse the ratio gets.

Conference websites are a particularly clean target because the citation graph for any given paper effectively guarantees long-tail traffic forever, and almost no academic field has the operational discipline to retire old domains gracefully.

What you can actually do

Two options.

The hand-rolled version:

  • Catalog every page and every subdomain of your site
  • Extract every outbound link, including the ones generated by client-side JavaScript and rendered only behind auth
  • Build policies for "this domain is now serving content that diverges from what was originally linked"
  • Run those policies daily, because the redirect target rotates and yesterday's snapshot is already wrong

This works. It also costs you an engineer-month per quarter once you scale past a few hundred pages.

Or use LinkSentry. We do the cataloging by observing real visitor sessions (no crawler blind spots), watch the inventory continuously, and notify you when a destination starts behaving like a hijacked one. Including, specifically, the kind of slow-burn redirect chain that the asiaccs2018 case represents.

Either way: don't trust the link just because the URL hasn't changed. The URL was never the part that mattered.

Check us out at linksentry.io.

Share this article