Phantom Squatting: Attackers Weaponize AI Hallucinations for Phishing Campaigns
Large language models (LLMs) are inadvertently generating non-existent web domains, creating a new attack vector dubbed 'phantom squatting'. Threat actors are registering these AI-invented domains and hosting sophisticated phishing pages, leveraging the implicit trust users place in AI-generated links.
Large language models (LLMs) are inadvertently generating non-existent web domains, creating a new attack vector dubbed 'phantom squatting'. Threat actors are registering these AI-invented domains and hosting sophisticated phishing pages, leveraging the implicit trust users place in AI-generated links.

**Palo Alto Networks' Unit 42** recently unveiled this emerging threat, highlighting its potential to bypass traditional security measures and exploit user trust. The core issue lies in the growing reliance on AI-generated links by developers and AI assistants, which often treat these invented domains as legitimate.
### The Mechanics of Phantom Squatting
When an LLM hallucinates a domain that doesn't yet exist, the first party to register it inherits all the misplaced trust associated with that AI-generated reference. This bypasses the need for conventional phishing emails or malicious advertisements.
To quantify the problem, **Unit 42** queried two AI models with 685,339 questions concerning 913 prominent brands across various sectors. The models produced 2.1 million links, with 13,229 already identified as malicious. Critically, approximately 250,000 of the invented domains were unregistered, presenting prime targets for phantom squatters.
### Why This Matters for Security
A newly registered phantom domain lacks any historical reputation. This means it can easily evade blocklists, threat feeds, and reputation scores, which typically require a site to exhibit malicious behavior before being flagged. By the time these filters catch up, the victim may have already been directed to the fraudulent site by a trusted AI tool.
Compounding the issue, these fake domains are not derived from the models' training data; they originate from the LLMs' inherent language patterns. Furthermore, these patterns are remarkably consistent, with different models often inventing the same fake domain for identical queries. This predictability makes it easier for attackers to anticipate and register future targets. **Unit 42** researchers describe this as exploiting a "structural property of LLM architectures that remains inherently unpatchable."
### Real-World Incidents
**Unit 42** has documented active cases of phantom squatting:
* **Case 1:** On March 8, 2026, **Unit 42** predicted an AI-invented domain resembling a national postal service's online marketplace. Both models consistently generated this fake domain. Twenty-three days later, on March 31, an attacker registered the exact domain and launched a phishing kit named **Montana Empire**. This kit meticulously copied the real storefront, stealing card numbers, bank transfer details, and national ID data. Intriguingly, residual project files indicated the criminal had developed the kit using an AI coding assistant, illustrating a cycle where both attacker and defender arrived at the same fake domain via AI.

* **Case 2:** **Unit 42** identified another hallucinated postal-service domain 51 days before an attacker registered it. The attacker then created a pixel-perfect brand clone, complete with a fake 4.8-star rating and a claim of over two million users, to push a malicious Android app.
Other observed phantom domains impersonated a major UAE bank, a European bank, and sports-betting sites targeting users in Bangladesh.
### A New Twist on an Old Threat
Phantom squatting is analogous to **slopsquatting**, where attackers register fake software package names invented by AI coding tools. This is not theoretical; a significant **USENIX** study found that code-generating models frequently suggest non-existent package names. The **PhantomRaven** campaign leveraged this behavior, embedding malware in 126 **npm** packages, leading to over 86,000 installs.
This trend underscores a broader shift: AI model output is increasingly becoming unverified input for developers, agents, and security teams. This accelerates the timeline for defenders to react, especially in an environment where brand-impersonation phishing is a sophisticated, paid service, with kits like **Lucid** and **Lighthouse** creating thousands of fake domains globally.
### Defensive Strategies
Given the consistent nature of LLM hallucinations, security teams can proactively map potential fake domains generated by models and monitor their registration, often gaining weeks of advance warning. For all users, the following practical steps are crucial:
* **Verify Links:** Do not implicitly trust links provided by AI. Always confirm the domain is the legitimate, official one before entering credentials or integrating it into code.
* **Control AI Agents:** Prevent AI agents from automatically opening or downloading content from model-generated links without explicit human verification. Unlike humans, agents lack the instinct to hesitate.
* **Treat AI Output as Drafts:** Consider any information from an AI model as an unverified draft, not an authoritative source.
The race is on between defenders and attackers to secure or exploit these AI-hallucinated domains. Vigilance and proactive measures are paramount.