Hoplon InfoSec Logo

Phantom Squatting: AI Domains Fueling New Phishing

Phantom Squatting: AI Domains Fueling New Phishing

Hoplon InfoSec

01 Jul, 2026

Phantom Squatting: How AI Hallucinated Domains Are Fueling a New Wave of Phishing

A user asks an AI assistant for a company's login page. The assistant answers with total confidence and hands over a link. The link looks right. It is not right. It was never real to begin with, the AI simply made it up, and somewhere out there, someone already bought that exact address and built a fake storefront waiting for the click.

That is phantom squatting, and it is not a theory anymore.

Content Summary

What you need to knowDetails
What it isAttackers register AI hallucinated domains before real owners can, then use them for phishing
Who discovered itPalo Alto Networks' Unit 42 threat research team
Scale of the research685,339 queries across 913 global brands, 2 LLM models, 2.1 million URLs generated
Confirmed damage13,229 URLs already flagged as malicious, roughly 250,000 hallucinated domains still unclaimed
Core riskZero reputation history means blocklists and filters cannot catch these domains in time
Who is affectedEveryday users, developers, and autonomous AI agents that trust AI generated links

This article walks through exactly how phantom squatting works, the real cases Unit 42 uncovered, how it compares to slopsquatting, and what organizations can actually do about it.

What is Phantom Squatting

Phantom squatting is a phishing technique where attackers register domain names that AI models hallucinate, meaning web addresses that sound completely real but were never assigned to anyone. Once a real user or an AI agent gets pointed toward that made up address, whoever bought it first inherits all the trust the AI just handed out.

It is different from a traditional phishing attack in one important way. There is no phishing email to spot, no suspicious ad, no obvious red flag. The AI itself becomes the delivery mechanism. People and increasingly AI agents treat the links a model produces as fact, and that is exactly the gap phantom squatting exploits.

How Phantom Squatting Actually Works

The Zero Reputation Bypass Explained

Every domain reputation system, whether it is a blocklist, a threat intelligence feed, or a browser's own safety score, needs time and observed bad behavior before it flags a site as dangerous. A brand new domain simply has not misbehaved yet, so it has nothing on record.

A phantom domain exploits this gap perfectly. The moment an attacker registers a hallucinated address and stands up a clone site, that domain is born clean. It has no history, no flags, and no reason for a filter to block it. By the time threat intelligence systems catch up, victims have already been sent there by a tool they trusted completely.

Why the Fake Domains Are Generated, Not Memorized

One detail from Unit 42's research stands out. Both AI models tested were released before the real malicious phantom sites even existed. That rules out the possibility that the models somehow learned these fake addresses from their training data. The domains are being generated fresh, out of the model's own language patterns, every single time someone asks the right question.

Why the Hallucinations Are Predictable

If phantom squatting only produced random noise, it would be far less dangerous. It does not. Different AI models frequently invent the exact same fake domain when asked the same question about the same brand. That consistency is what makes an attacker's next target easy to guess.

Turning up a model's creativity or temperature setting does not fix the problem either. It actually produces more hallucinated domains, not fewer. Unit 42's own researchers described this as a structural property of how large language models are built, one that current architecture cannot simply patch away.

How phantom squatting works step by ste



The Phantom Squatting Attack Lifecycle

Unit 42 mapped this attack as a four phase cycle, and understanding each phase is the key to defending against it.

  1. Adversarial hallucination probing: the attacker systematically queries AI models with realistic, everyday prompts about a target brand, watching closely for which fake domains keep coming up.
  2. Hallucination surface mapping: the attacker compiles the domains that repeat across many prompt variations and models, building a shortlist of the most likely candidates.
  3. Preemptive registration and weaponization: the attacker buys the domain before the real brand or anyone else can, then builds a convincing clone of the legitimate site.
  4. Exploitation: real users following an AI recommendation, or autonomous AI agents fetching a link without a human in the loop, land on the fake page and hand over credentials, payment details, or get pushed toward malware.

Inside the Research: How Unit 42 Measured the Problem

MetricFigure
Brands analyzed913, across technology, finance, healthcare, government, gambling, and other sectors
Total queries run685,339
AI models tested2 distinct models, across multiple configurations and temperature settings
URLs generated2.1 million
Confirmed malicious URLs13,229
Unregistered hallucinated domains foundapproximately 250,000

That last number deserves attention. A quarter of a million domains that AI models are actively suggesting to real users sit completely unclaimed right now. Each one is a ready made target sitting in plain sight, waiting for whichever attacker decides to register it first.

Real World Case Studies

Case One: The Montana Empire Kit

On March 8, 2026, Unit 42's monitoring system predicted that AI models would consistently hallucinate a domain resembling a national postal service's online marketplace. Both tested models produced the exact same domain at every single temperature setting, a strong signal that the models genuinely treated the fake address as fact.

Twenty three days later, on March 31, an attacker registered that exact domain. Within days, a full phishing kit went live, built and branded under the name Montana Empire. It cloned the real postal marketplace in real time and harvested card numbers, bank transfer details, and national ID information from victims.

The operation even included a Telegram bot that let the attacker manually approve stolen one time passcodes as victims entered them, turning theft into a live, interactive process. Leftover project files and session logs later revealed that the attacker had built the entire phishing kit using an AI coding assistant, closing a strange loop where AI both created the opportunity and helped build the weapon that exploited it.

Case Two: The Postal Service Android App Clone

In a second case, Unit 42 flagged a hallucinated postal service domain a full 51 days before an attacker registered it, the longest lead time recorded in the research. The attacker wrapped the domain in a pixel perfect clone of the real brand, added a fabricated 4.8 star rating, and claimed over two million users to make it look established. The fake site was then used to push a malicious Android application to unsuspecting users.

Other Detected Targets

Unit 42's monitoring also caught phantom domains built around a major UAE bank the attacker had already been abusing for close to a year, a European bank, and sports betting platforms specifically aimed at users in Bangladesh, showing this is not a threat limited to one region or one industry.

Phantom Squatting vs Slopsquatting vs Typosquatting

Attackers now have three related ways to exploit trust in digital naming, and understanding the differences matters for defense.

Attack typeHow it worksReal world scale
TyposquattingRegisters slightly misspelled versions of a real domain, relying on human typing mistakesDecades old, still active
SlopsquattingAI coding tools hallucinate fake software package names that attackers pre register on public code repositoriesRoughly 19.7 percent of AI recommended packages in tested samples were entirely fabricated, around 205,000 unique hallucinated package names found across 16 models studied
Phantom squattingExtends the same hallucination logic from code packages to live web domains, aimed at brand impersonation and phishing rather than dependencies250,000 unregistered hallucinated domains found across 913 brands in Unit 42's research

The slopsquatting numbers help explain why phantom squatting is not a one off fluke. When researchers ran the same prompt ten times against coding models, 43 percent of hallucinated package names showed up every single time, and 58 percent reappeared more than once. That is not random error, it is a repeatable pattern that attackers can plan around. The PhantomRaven campaign turned exactly this weakness into a working attack, hiding malware inside 126 npm packages that together pulled in more than 86,000 installs before detection.

Why This Matters Now: Model Output is Becoming Input

Developers, security teams, and increasingly autonomous AI agents are acting on AI generated links and package names before anyone manually verifies them. An AI agent built to fetch URLs and gather context on its own has no built in instinct to hesitate the way a person naturally would when a link looks slightly off.

This risk is also landing in an already industrialized phishing economy. Criminal kits like Lucid and Lighthouse are sold as a service and have already stood up roughly 17,500 fake domains targeting 316 brands across 74 countries. Phantom squatting gives that existing criminal infrastructure a brand new, largely unguarded entry point.

How Organizations Can Defend Against Phantom Squatting

  • Map your own brand's hallucination surface by systematically querying major AI models the same way an attacker would, so you know which fake domains are already circulating.
  • Monitor domain registration activity against that mapped list. Unit 42's research showed lead times of 18 to 51 days are realistic, which is enough time to act if you are watching.
  • Deploy attack surface management and online threat exposure monitoring rather than relying only on historical domain reputation data.
  • Restrict AI agents from automatically opening, downloading from, or executing model generated links without a verification step, an approach best supported through strong endpoint security and extended detection and response controls.
  • Strengthen email security and anti phishing defenses so that even if a phantom domain slips through, the delivery path gets caught.
  • Add dark web monitoring and brand intelligence to your program so newly registered lookalike domains and leaked brand assets get flagged early.
  • Train employees and everyday users to confirm official domains independently, never trusting a link purely because an AI produced it.
  • Treat every AI generated link, package name, or citation as an unverified draft, never as an authoritative source.
  • Run a formal AI security assessment to evaluate exposure across both coding assistants and conversational AI tools used inside your organization, paired with cyber threat intelligence to track how attackers are targeting your sector specifically.
  • If a fake domain impersonating your brand is already live, move fast into takedown and disruption rather than waiting for it to be reported by a victim.

Related reading from Hoplon InfoSec: this fits into a broader pattern of AI systems reshaping the threat landscape, similar to what was seen with Apple's AI discovered WebKit vulnerabilities, OpenAI's GPT-5.5-Cyber vulnerability discovery model, and the Gaslight macOS malware built specifically to trick AI systems.

How Organizations Can Defend Against Phantom Squatting



Frequently Asked Questions

What is phantom squatting? Phantom squatting is a phishing technique where attackers register domain names that AI models hallucinate for real brands, then build phishing pages on them to catch traffic sent their way by AI tools.

Who discovered phantom squatting? Palo Alto Networks' Unit 42 threat research team identified and named the technique after analyzing 913 global brands and 2.1 million AI generated URLs.

How is phantom squatting different from slopsquatting? Slopsquatting targets hallucinated software package names used by AI coding tools. Phantom squatting applies the same idea to live web domains, aimed at phishing and brand impersonation rather than code dependencies.

Can popular AI assistants really generate malicious or fake links? Yes. Unit 42's research found that both models tested consistently generated fake domains, and thousands of the resulting links already pointed to confirmed malicious sites.

How long do defenders typically have before an attacker registers a hallucinated domain? Unit 42 recorded lead times between 18 and 51 days from the moment a domain was flagged as a hallucination risk to the moment it was actually registered by an attacker.

What is the single most effective defense against phantom squatting? Proactively mapping your brand's own hallucination surface and monitoring for registration of those specific domains, combined with restricting AI agents from acting on unverified links.

Official References

Unit 42, Palo Alto Networks, Phantom Squatting: AI Hallucinated Domains as a Software Supply Chain Vector,


Was this article helpful?

React to this post and see the live totals.

Share this :

Latest News