In this project you’ll build a solar-powered oscillator circuit, using two NOT gates to generate a square wave. Then you’ll add two push button switches and a potentiometer to adjust the pitch.
These cases may or may not be phishing. When corporations are hacked for their user credentials, those databases sometimes end up in dark web markets. It would be easy to extract email addresses with .edu domains ... so if a student used their university address for some service and reused the password, there's your login.
Moral of the story: Encourage students to use a password manager and 2FA.
Academic librarians, who negotiate terms with publishers, are obsessed with privacy and academic freedom. Bless 'em. In theory, publishers don't know who's downloading what. The librarians I've talked to say they delete their logs daily, if not several times a day.
As for geographic location, academics tend to travel a lot. Last I heard (from reading the court docs in Elsevier's lawsuit against Sci-Hub), they stopped using proxy connections a few years ago. They just log in using stored credentials, grab an auth token that lasts X minutes/hours, and download articles from whatever IP is convenient.
The only data we have are the 2015-16 download logs posted by Elbakyan and a reporter for 'Science.' At the time they had 28 million+ downloads over 6 months. I truly hope no more logs are released (at least not with that level of detail).
Most items on Archive.org have torrent files, so there's some degree of (potential) decentralization. They run their own tracker, but in principle the torrents could live on via DHT. Most are poorly seeded, however.
They also have multiple backups in other locations.