“The models produced 2.1 million links.” That single tally—drawn from a systematic exercise by Palo Alto Networks' Unit 42—frames a new, fast-moving risk: attackers are registering web addresses that large language models freely invent, then using those freshly minted domains to host phishing sites and malware before defenders have time to react.
How phantom squatting works
Phantom squatting exploits a simple gap in the internet’s trust plumbing. When a language model invents a domain that does not exist, developers and AI assistants increasingly treat the link as if it were real. A freshly registered domain has no reputation history—no blocklist entries, no threat-feed tags, no low reputation scores—so it can inherit whatever misplaced trust the model hands it. By the time automated defenses flag the site, the attacker may already have harvested credentials or distributed malware.
Unit 42 calls the attack “phantom squatting.” The researchers emphasize two aggravating facts: the domains were not copied from existing sites or training data—the models generated them from their internal language patterns—and different models often invent the same fake domain for the same prompt. Unit 42 notes the vector “exploits a structural property of LLM architectures that remains inherently unpatchable.”
Unit 42’s measurement and what it found
To quantify the exposure, Unit 42 asked two AI models 685,339 questions about 913 well-known brands spanning technology, finance, healthcare, government, gambling and other sectors. The models produced 2.1 million links. Threat intelligence already flagged 13,229 of those links as outright malicious—meaning the AI was outputting known-bad addresses—and roughly 250,000 of the invented domains had no owner yet, making them available to any attacker who moved quickly.
Unit 42 also reported that increasing a model’s “creativity” setting produced more invented domains rather than fewer, a dangerous outcome because it both raises the number of targets and makes attacker prediction simpler: consistent model outputs mean the attacker’s target list is easy to generate.
Two documented attacks: March 2026 cases
Unit 42 traced two clear sequences where hallucinated domains became active malicious infrastructure. On March 8, 2026, researchers observed models generating a domain resembling a national postal service’s online marketplace at every temperature setting tested. Twenty-three days later, on March 31, an attacker had registered that precise domain and deployed a phishing kit called Montana Empire. The kit mirrored the real storefront in real time and collected payment card numbers, bank-transfer information, and national ID data. A Telegram bot allowed the operator to approve one-time passcodes manually; leftover project files and session logs showed the kit had been built with an AI coding assistant.
In another case Unit 42 flagged a hallucinated postal-service domain 51 days before an attacker registered it. The attacker created a pixel-perfect brand clone, added a fake 4.8-star rating and a claim of over two million users, and used the site to push a malicious Android application.
Unit 42 also detected other phantom domains impersonating a major UAE bank that had already been abused for nearly a year, a European bank, and sports-betting sites targeting users in Bangladesh.
Phantom squatting in the context of slopsquatting and PhantomRaven
Phantom squatting is the domain analogue of “slopsquatting,” where attackers register invented package names suggested by code-generating models. The latter is already a demonstrated attack surface: a USENIX study found models routinely suggest non-existent package names, and the PhantomRaven campaign abused that behavior by hiding malware in 126 npm packages with more than 86,000 installs.
The economics of brand abuse also matter. Commercial phishing kits such as Lucid and Lighthouse have been used to stand up large numbers of fake domains—Unit 42 cites figures of 17,500 fake domains impersonating 316 brands in 74 countries—showing that an ecosystem exists to convert an available domain into operational fraud at scale.
What this means for developers, defenders, and end users
- Developers and security teams: Because models hallucinate consistently, teams can proactively map the fake domains a model is likely to produce and monitor registrations; Unit 42 showed that such monitoring can provide weeks of warning. They should also prevent AI agents from autonomously opening or downloading from model-generated links without human review.
- Enterprises and procurement leaders: Vendor and brand impersonation can be automated at scale. Procurement and brand-protection programs should treat model-generated links as unverified drafts and build processes to confirm official domains before embedding them in scripts, documentation, or automation.
- End users: The simplest practical rule stands: do not trust a link just because an AI gave it. Confirm that a domain is the official address before entering credentials or pasting secrets into code.
The technical and operational contours are plain in Unit 42’s report: model output is becoming input, and whoever reaches a freshly registered domain first—defender or attacker—wins the short race. The only clear leverage defenders have, according to Unit 42’s findings, is speed and process: map predictable hallucinations, watch registrations, and force human verification before an agent follows a model-crafted link. The unanswered practical question is whether those safeguards will consistently beat a criminal market already prepared to convert invented domains into phishing storefronts and malware conduits.
https://thehackernews.com/2026/07/phantom-squatting-uses-ai-hallucinated.html




