
Hoplon InfoSec
01 Jul, 2026
A user asks an AI assistant for a company's login page. The assistant answers with total confidence and hands over a link. The link looks right. It is not right. It was never real to begin with, the AI simply made it up, and somewhere out there, someone already bought that exact address and built a fake storefront waiting for the click.
That is phantom squatting, and it is not a theory anymore.
| What you need to know | Details |
|---|---|
| What it is | Attackers register AI hallucinated domains before real owners can, then use them for phishing |
| Who discovered it | Palo Alto Networks' Unit 42 threat research team |
| Scale of the research | 685,339 queries across 913 global brands, 2 LLM models, 2.1 million URLs generated |
| Confirmed damage | 13,229 URLs already flagged as malicious, roughly 250,000 hallucinated domains still unclaimed |
| Core risk | Zero reputation history means blocklists and filters cannot catch these domains in time |
| Who is affected | Everyday users, developers, and autonomous AI agents that trust AI generated links |
This article walks through exactly how phantom squatting works, the real cases Unit 42 uncovered, how it compares to slopsquatting, and what organizations can actually do about it.
Phantom squatting is a phishing technique where attackers register domain names that AI models hallucinate, meaning web addresses that sound completely real but were never assigned to anyone. Once a real user or an AI agent gets pointed toward that made up address, whoever bought it first inherits all the trust the AI just handed out.
It is different from a traditional phishing attack in one important way. There is no phishing email to spot, no suspicious ad, no obvious red flag. The AI itself becomes the delivery mechanism. People and increasingly AI agents treat the links a model produces as fact, and that is exactly the gap phantom squatting exploits.
Every domain reputation system, whether it is a blocklist, a threat intelligence feed, or a browser's own safety score, needs time and observed bad behavior before it flags a site as dangerous. A brand new domain simply has not misbehaved yet, so it has nothing on record.
A phantom domain exploits this gap perfectly. The moment an attacker registers a hallucinated address and stands up a clone site, that domain is born clean. It has no history, no flags, and no reason for a filter to block it. By the time threat intelligence systems catch up, victims have already been sent there by a tool they trusted completely.
One detail from Unit 42's research stands out. Both AI models tested were released before the real malicious phantom sites even existed. That rules out the possibility that the models somehow learned these fake addresses from their training data. The domains are being generated fresh, out of the model's own language patterns, every single time someone asks the right question.
If phantom squatting only produced random noise, it would be far less dangerous. It does not. Different AI models frequently invent the exact same fake domain when asked the same question about the same brand. That consistency is what makes an attacker's next target easy to guess.
Turning up a model's creativity or temperature setting does not fix the problem either. It actually produces more hallucinated domains, not fewer. Unit 42's own researchers described this as a structural property of how large language models are built, one that current architecture cannot simply patch away.
Unit 42 mapped this attack as a four phase cycle, and understanding each phase is the key to defending against it.
| Metric | Figure |
|---|---|
| Brands analyzed | 913, across technology, finance, healthcare, government, gambling, and other sectors |
| Total queries run | 685,339 |
| AI models tested | 2 distinct models, across multiple configurations and temperature settings |
| URLs generated | 2.1 million |
| Confirmed malicious URLs | 13,229 |
| Unregistered hallucinated domains found | approximately 250,000 |
That last number deserves attention. A quarter of a million domains that AI models are actively suggesting to real users sit completely unclaimed right now. Each one is a ready made target sitting in plain sight, waiting for whichever attacker decides to register it first.
On March 8, 2026, Unit 42's monitoring system predicted that AI models would consistently hallucinate a domain resembling a national postal service's online marketplace. Both tested models produced the exact same domain at every single temperature setting, a strong signal that the models genuinely treated the fake address as fact.
Twenty three days later, on March 31, an attacker registered that exact domain. Within days, a full phishing kit went live, built and branded under the name Montana Empire. It cloned the real postal marketplace in real time and harvested card numbers, bank transfer details, and national ID information from victims.
The operation even included a Telegram bot that let the attacker manually approve stolen one time passcodes as victims entered them, turning theft into a live, interactive process. Leftover project files and session logs later revealed that the attacker had built the entire phishing kit using an AI coding assistant, closing a strange loop where AI both created the opportunity and helped build the weapon that exploited it.
In a second case, Unit 42 flagged a hallucinated postal service domain a full 51 days before an attacker registered it, the longest lead time recorded in the research. The attacker wrapped the domain in a pixel perfect clone of the real brand, added a fabricated 4.8 star rating, and claimed over two million users to make it look established. The fake site was then used to push a malicious Android application to unsuspecting users.
Unit 42's monitoring also caught phantom domains built around a major UAE bank the attacker had already been abusing for close to a year, a European bank, and sports betting platforms specifically aimed at users in Bangladesh, showing this is not a threat limited to one region or one industry.
Attackers now have three related ways to exploit trust in digital naming, and understanding the differences matters for defense.
| Attack type | How it works | Real world scale |
|---|---|---|
| Typosquatting | Registers slightly misspelled versions of a real domain, relying on human typing mistakes | Decades old, still active |
| Slopsquatting | AI coding tools hallucinate fake software package names that attackers pre register on public code repositories | Roughly 19.7 percent of AI recommended packages in tested samples were entirely fabricated, around 205,000 unique hallucinated package names found across 16 models studied |
| Phantom squatting | Extends the same hallucination logic from code packages to live web domains, aimed at brand impersonation and phishing rather than dependencies | 250,000 unregistered hallucinated domains found across 913 brands in Unit 42's research |
The slopsquatting numbers help explain why phantom squatting is not a one off fluke. When researchers ran the same prompt ten times against coding models, 43 percent of hallucinated package names showed up every single time, and 58 percent reappeared more than once. That is not random error, it is a repeatable pattern that attackers can plan around. The PhantomRaven campaign turned exactly this weakness into a working attack, hiding malware inside 126 npm packages that together pulled in more than 86,000 installs before detection.
Developers, security teams, and increasingly autonomous AI agents are acting on AI generated links and package names before anyone manually verifies them. An AI agent built to fetch URLs and gather context on its own has no built in instinct to hesitate the way a person naturally would when a link looks slightly off.
This risk is also landing in an already industrialized phishing economy. Criminal kits like Lucid and Lighthouse are sold as a service and have already stood up roughly 17,500 fake domains targeting 316 brands across 74 countries. Phantom squatting gives that existing criminal infrastructure a brand new, largely unguarded entry point.
Related reading from Hoplon InfoSec: this fits into a broader pattern of AI systems reshaping the threat landscape, similar to what was seen with Apple's AI discovered WebKit vulnerabilities, OpenAI's GPT-5.5-Cyber vulnerability discovery model, and the Gaslight macOS malware built specifically to trick AI systems.
What is phantom squatting? Phantom squatting is a phishing technique where attackers register domain names that AI models hallucinate for real brands, then build phishing pages on them to catch traffic sent their way by AI tools.
Who discovered phantom squatting? Palo Alto Networks' Unit 42 threat research team identified and named the technique after analyzing 913 global brands and 2.1 million AI generated URLs.
How is phantom squatting different from slopsquatting? Slopsquatting targets hallucinated software package names used by AI coding tools. Phantom squatting applies the same idea to live web domains, aimed at phishing and brand impersonation rather than code dependencies.
Can popular AI assistants really generate malicious or fake links? Yes. Unit 42's research found that both models tested consistently generated fake domains, and thousands of the resulting links already pointed to confirmed malicious sites.
How long do defenders typically have before an attacker registers a hallucinated domain? Unit 42 recorded lead times between 18 and 51 days from the moment a domain was flagged as a hallucination risk to the moment it was actually registered by an attacker.
What is the single most effective defense against phantom squatting? Proactively mapping your brand's own hallucination surface and monitoring for registration of those specific domains, combined with restricting AI agents from acting on unverified links.
Unit 42, Palo Alto Networks, Phantom Squatting: AI Hallucinated Domains as a Software Supply Chain Vector,
Was this article helpful?
React to this post and see the live totals.
Share this :