The Attack Mechanism
Large language models sometimes generate fake website addresses that do not exist. Researchers at Palo Alto Networks Unit 42 have identified a new threat called phantom squatting, where attackers register these AI hallucinated domains before anyone else can. The domains then host phishing pages that catch traffic directed by AI tools, exploiting the misplaced trust users place in model generated links.
The technique works because freshly registered domains have no reputation history. Blocklists and threat feeds require time to flag malicious behavior, so these new domains bypass security filters. The fake addresses originate entirely from the model’s own language patterns, as they were not present in training data, making the issue a structural property of current AI architectures.
Observed Impact in the Wild
Unit 42 tested two AI models with over 685,000 questions about 913 well known brands across technology, finance, healthcare, and other sectors. The models generated 2.1 million links, with roughly 250,000 invented domains remaining unregistered and waiting to be claimed. Threat intelligence flagged 13,229 of the generated addresses as outright malicious.
Two real world cases demonstrate the threat. On March 8, 2026, AI models consistently hallucinated a domain resembling a national postal service online marketplace. An attacker registered that exact domain on March 31 and deployed a phishing kit named Montana Empire, which stole card numbers, bank transfer details, and national ID data. In a second case, Unit 42 flagged a hallucinated postal service domain 51 days before an attacker registered it and used it to push a malicious Android app.
Defensive Measures
Phantom squatting represents an evolution of the slopsquatting technique, where attackers register fake software package names that AI coding tools invent. A USENIX study found code generating models routinely suggest nonexistent package names, with the PhantomRaven campaign exploiting this through 126 malicious npm packages with over 86,000 installs.
Because models hallucinate consistently, security teams can predict which fake domains a model is likely to produce and monitor for registration attempts. For individual users, the practical steps include verifying that domains are official before entering credentials, preventing AI agents from automatically opening model generated links, and treating all model output as unverified drafts rather than authoritative sources.
Source: The Hacker News
