One other point I missed that we have to often deal with : when phished accounts are used to mass-download PDFs, many publisher sites auto-block the IP of the requester, which in this case is the University's Ezproxy server. This then means no user at the university can access the resource till the block is lifted (or they could just use Scihub in the meantime :~D ).
Interesting link thanks! I guess the pertinent part is :
I did not tell Science how credentials were donated: either voluntarily or not. I only told that I cannot disclose the source of the credentials. I assume that some credentials coming to Sci-Hub could have been obtained by phishing.
Here's what I think possibily happens : credentials are phished, with Scihub as one of the main "customers", alongside other groups or they are put into the (semi)public domain. They are then used for other nefarious purposes by non-scihub third parties (more phishing, network access etc).
Would university accounts still be phished without Scihub? Absolutely! Would the volume be so high? I'm not so sure. Plus it still causes headaches for fellow university users of the phished account if the proxy gets blocked... especially as publisher customer services are utterly terrible and institutions could be weeks without proxy access to one of the "biggie" publishers!