What Is Phantom Squatting? The New Attack Vector AI Built for Attackers
Large language models have a well-known flaw: they make things up. Sometimes it’s a fake citation. Sometimes an invented fact. But sometimes — and this is where it gets dangerous — they invent a website domain that doesn’t exist yet, and an attacker beats you to registering it.

Palo Alto Networks’ Unit 42 research team calls this phantom squatting, and their findings should make anyone who uses AI tools stop and think. They asked two AI models 685,339 questions about 913 well-known brands across tech, finance, healthcare, government, and gambling. The models spat back 2.1 million links. Of those, roughly 250,000 pointed to domains that didn’t exist — ready for anyone to grab.
And attackers are already doing exactly that.
Why Phantom Squatting Works (And Why It’s So Hard to Fix)
The scary part isn’t just that AI models hallucinate fake domains. It’s that different models hallucinate the same fake domains for the same prompts. That consistency turns a random glitch into a predictable shopping list for attackers.
Here’s what makes this attack so effective:
Zero reputation. A freshly registered domain has no history. Blocklists and threat intelligence feeds are blind to it until it starts serving malware. By the time anyone flags it, victims have already been sent there by a tool they trust.
Built-in trust. No phishing email, no sketchy ad, no social engineering required. The AI hands the user the link itself. People click because they trust the assistant, not because they were tricked by a convincing email.
Structurally unpatchable. This is the big one. Unit 42 explicitly states that phantom squatting “exploits a structural property of LLM architectures that remains inherently unpatchable.” Turning down the model’s creativity reduces the volume of hallucinated domains but doesn’t eliminate them. The same output patterns exist across every temperature setting.
As one researcher put it: “Attacker and defender reached the same fake domain the same way, by asking an AI.”
Real Attacks Already in the Wild
This isn’t just a research paper. Unit 42 documented active campaigns.
Case 1: Postal Service Marketplace (23-Day Window)
On March 8, 2026, researchers predicted exactly which fake domain an AI model would hallucinate for a national postal service’s online marketplace. Twenty-three days later, on March 31, an attacker registered that exact domain and deployed the “Montana Empire” phishing kit — a real-time storefront clone that stole credit card numbers, bank transfer details, and national ID numbers.
Here’s the detail that sticks with me: forensic evidence showed the attacker built the entire phishing kit using an AI coding assistant. Same hallucination. Same domain. Same tool that generated the link was used to build the trap.
Case 2: Postal Service Android Malware (51-Day Lead)
Unit 42 flagged a hallucinated postal service domain and had 51 days of lead time before an attacker registered it. The attacker built a pixel-perfect brand clone with a fake 4.8-star rating and a claim of “over 2 million users,” then used it to distribute a malicious Android APK.
Other Confirmed Targets
- A major UAE bank — already being actively abused for nearly a year
- A European bank
- Multiple sports-betting sites targeting users in Bangladesh
The Bigger Picture: AI Output Is Becoming Input
Phantom squatting isn’t happening in isolation. It’s part of a broader trend where whatever a model generates is increasingly treated as ground truth — by developers, by automated agents, by security tools — and attackers are exploiting the gap.
Slopsquatting is the software package version of the same problem. Researchers have shown that AI coding tools routinely suggest package names that don’t exist. Attackers register those names on npm, PyPI, and other registries, then wait for developers to blindly install them. The PhantomRaven campaign used exactly this technique to hide malware in 126 npm packages with over 86,000 installs. If you’re managing dependencies, I wrote about how to audit npm dependencies for malware — and the advice applies double here because AI-generated package names are even harder to catch manually.
Brand impersonation phishing has become a paid service. Kits like Lucid and Lighthouse have helped spin up 17,500 fake domains targeting 316 brands across 74 countries. Phantom squatting gives these operations a new, more reliable supply of domain names that victims are pre-disposed to trust.
We’ve also seen directly how dangerous AI coding agent vulnerabilities can be. The DuneSlide vulnerabilities in Cursor showed that prompt injection could escape sandboxes and run arbitrary commands. Phantom squatting is the same story from a different angle: the infrastructure AI recommends is just as exploitable as the code it writes.
How to Protect Yourself
Unit 42 frames the challenge simply: “The real question is whether defenders or attackers reach these domains sooner.” The good news is that defenders have a window — often weeks — between the first hallucination and an attacker registering the domain.
Here are three rules I’m adopting, and I think you should too:
1. Verify every domain before trusting it. If an AI gives you a link, manually confirm it’s the real official domain before typing a password, entering payment details, or pasting it into a terminal. This takes two seconds and saves you from the one click that matters.
2. Restrict what your AI agents can do with generated links. If you’re building automated workflows — and I know many of you are — don’t let agents automatically open, download, or execute anything from a model-generated URL without a verification step. The article on reviewing AI-generated code like a senior engineer makes the same point about code, and it applies just as much to links.
3. Treat everything a model writes as an unverified draft. I know this sounds obvious, but the cognitive ease of using AI assistants makes us drop our guard. Every link, every package name, every API endpoint a model suggests needs a real human verification check before it enters production.
For security teams, the defensive playbook is straightforward: map the fake domains your specific AI tools hallucinate for your own brands, monitor for registration, and block them preemptively. You have a warning window. Use it.
The Bottom Line
Phantom squatting isn’t a vulnerability you can patch. It’s a structural property of how language models work — they will always invent things that don’t exist, and attackers will always try to get there first.
The supply chain implications run deep too. The Klue supply chain disaster showed us what happens when we trust security tools without verifying them. Phantom squatting extends that same lesson to AI tools.
What changes isn’t the technology. It’s our relationship with it. We need to stop treating AI output as authoritative and start treating it as what it actually is: a fast, confident first draft that still needs a human to check the details. The attackers already figured this out. Time for the rest of us to catch up.