As many of you know, for years, Google would label hacked content in their search results with the this site may be hacked label. The solution is to patch up the hack and remove the hacked pages if they should not exist.
If you are going to remove the pages, make sure to serve up a 404 page not found status code in the header. Because if you server a status code that reads 200, everything is okay, but show a page that looks like a 404, Google might not remove the hacked label.
These are called soft 404 pages, they look like 404 pages, they server a 404 warning on the HTML part but in the header and server response code, they show a status code of 200, which means all is good.
John Mueller from Google explained this in a Google Webmaster Help thread:
One thing that’s a bit tricky here is that our automated systems can’t easily recognize that the hacked content has been removed. In particular the site returns 200 OK for URLs that no longer exist, so when we test URLs like https://goo.gl/hqYTR5 it look – to our algorithms – like the hacked content is potentially still live, because the server tells us that the URL is valid (even though it returns a visible error page, the result code is a 200 OK). Once our algorithms are able to determine that the content has been removed properly, they’ll drop this warning automatically.
Alternately, the webmaster could use the manual actions part in Search Console to submit a reconsideration request. This would be reviewed manually, and the chances are high that the reviewer will spot this inconsistency and remove the flag too.
It looks like since, the webmaster adjusted the code to be 404 from 200. So all should be good.
Keep in mind, Google is pretty good at detecting soft 404s but maybe with this, they want to be confident?
Forum discussion at Google Webmaster Help.