The “Spy Dog” URL hijack: a kids’ book scare with boardroom lessons

UK schools and libraries were told to pull Andrew Cope’s Spy Dog, Spy Pups and Spy Cat after a printed website in some editions began redirecting to explicit adult content. Puffin (Penguin Random House) paused sales and asked partners to remove stock while pursuing takedown and legal remedies. 

What actually happened

Older print runs carried a companion URL that once hosted bonus character content. Control of that domain later passed to an unrelated third party, who repointed it to an adult site with no age checks, an expired-domain takeover. This is a risk from the printed link, not a hack of Puffin’s systems. Several schools issued safeguarding alerts to parents. 

Regulators moved too: Nominet (the UK registry) suspended the website for breaching terms, noting the lack of suitable age verification under the Online Safety Act. That protects children immediately, but millions of books still contain the same printed URL.

Technical notes 

• Attack vector: expired/abandoned domain takeover, control of the destination changed; the ink on paper did not.
• Observed payload: explicit pages (including content themed around children’s characters), accessible without age verification.
• Response: pause sales and distribution; coordinate removals with schools/libraries; pursue takedown/legal steps; domain suspended by registry.

Why this matters beyond one series

Exactly the same failure mode exists anywhere your organisation publishes static links: thought-leadership PDFs, investor decks, brochures, conference slides, QR codes. Those assets outlive the domains they reference; if a domain expires or is sold, your materials can end up endorsing scams, malware or adult content, under your logo. The UK NCSC’s guidance is clear: treat domains as critical assets and manage their lifecycle (ownership, renewal, registrar security) to reduce hijack risk. Why this matters beyond one series Exactly the same failure mode exists anywhere your organisation publishes static links: thought-leadership PDFs, investor decks, brochures, conference slides, QR codes. Those assets outlive the domains they reference; if a domain expires or is sold, your materials can end up endorsing scams, malware or adult content, under your logo. The UK NCSC’s guidance is clear: treat domains as critical assets and manage their lifecycle (ownership, renewal, registrar security) to reduce hijack risk.

What Puffin did right—and the data-protection parallel 

Two commendable steps: (1) rapid withdrawal from sale and circulation; (2) raising awareness via the media when there’s no practical way to contact every reader directly. If this had been a personal data breach, GDPR Article 34 expects notifying affected people “without undue delay”; and where direct contact is impossible or disproportionate, public communication is expressly allowed, especially relevant where children face heightened risk.

Practical takeaways 

• Own the redirect. Print your short links (e.g., yourdomain.com/series/spydog) that you can repoint forever. Avoid third-party or personal author domains.
• Don’t let domains die. Track renewals, enable registry/transfer locks and strong MFA with your registrar, document ownership and renewal responsibilities.
• Plan a safe sunset. If a link must retire, redirect it to an evergreen “Official links” page, not a 404.
• Audit your back catalogue. Keep a register of URLs/QRs in all public assets; crawl for link drift and fix or retire at least annually.
• Schools & libraries: quarantine copies with printed URLs/QRs you don’t control; share concise parent advisories that avoid reproducing the harmful link.
• Comms ready. Pre-draft public notices for high-risk incidents where direct outreach isn’t feasible, mirroring GDPR Article 34’s public-communication concept. 

Bottom line: print has a long shelf-life; domains don’t. Treat every printed/long-lived URL as living infrastructure with ownership, security and renewal baked in. Do that, and your bestseller, white paper or keynote deck won’t become someone else’s landing page.