Skip to main content

Your AI assistant just invented a website that doesn’t exist. Twenty-three days later, an attacker registered it and used it to steal credit card numbers. Welcome to phantom squatting — the newest and most unsettling attack vector in the AI security landscape.

Published this week by Palo Alto Networks’ Unit 42, research into phantom squatting reveals a structural flaw in how large language models interact with the web — and it should concern every development team shipping AI-powered features in 2026.

TL;DR

  • Phantom squatting exploits AI-hallucinated domains — URLs that LLMs invent but don’t exist — by registering them and weaponising them for phishing and malware delivery.
  • Unit 42 tested 913 global brands with 685,339 adversarial prompts and found ~250,000 unique phantom domains, with 13,229 confirmed malicious URLs already in the wild.
  • Unlike traditional typosquatting, phantom domains are linguistically plausible and harder for users to spot — 67.2% deliver malware, 16.2% serve phishing kits.
  • The same flaw powers “slopsquatting” in package managers, where hallucinated npm/PyPI package names get registered with malicious code.
  • Development teams must treat AI-generated URLs as untrusted input and implement verification before any user-facing output.

What Is Phantom Squatting?

Traditional typosquatting relies on users mistyping a URL — gooogle.com instead of google.com. Phantom squatting is fundamentally different. It exploits the fact that LLMs routinely hallucinate plausible-sounding domains for real brands. These aren’t random strings — they’re linguistically coherent URLs that look exactly like something a legitimate brand would own.

The attack chain is straightforward:

  1. Harvest — Attackers prompt LLMs to generate URLs for well-known brands and collect the hallucinated domains.
  2. Register — They register the available phantom domains, often for pennies.
  3. Weaponise — They deploy phishing kits, malware downloads, or credential-stealing pages on those domains.
  4. Wait — When an AI assistant later hallucinates the same domain and serves it to a user, the trap is set.

The crucial insight is that LLMs hallucinate consistently. The same prompts tend to produce the same phantom domains across sessions and users, making the attack surface predictable for adversaries.

The Numbers Are Staggering

Unit 42’s research wasn’t theoretical. They executed 685,339 adversarial prompts against 913 global brands and analysed 2.1 million generated URLs. Of those:

  • 809,455 URLs pointed to non-existent domains, collapsing to roughly 250,000 unique phantom domains
  • 13,229 URLs were confirmed malicious via threat intelligence and active crawling
  • 67.2% of confirmed threats delivered malware
  • 16.2% were phishing operations

That’s a quarter of a million phantom domains sitting there, waiting for an attacker to register them and a language model to recommend them.

The Montana Empire Case: A Real-World Attack

Unit 42 documented a particularly revealing case. An LLM hallucinated a domain for a legitimate marketplace on 8 March 2026. Twenty-three days later, on 31 March, an attacker registered that exact domain and deployed the Montana Empire phishing kit.

The kit scraped the real storefront in real time, creating a pixel-perfect clone. It stole card numbers, bank transfer details, and national ID data. The attacker even built a Telegram-based command-and-control interface for real-time credential exfiltration.

Here’s the kicker: analysis of the phishing kit’s project directory revealed the attacker used an AI coding assistant to build it. AI hallucinated the opportunity, and AI helped build the weapon. The ouroboros of AI-powered cybercrime.

Slopsquatting: The Package Manager Parallel

Phantom squatting is the domain-layer cousin of slopsquatting — the same attack applied to software package managers. A USENIX study confirmed that code-generating models routinely suggest package names that don’t exist. Attackers register those hallucinated names on npm, PyPI, and crates.io, then wait for AI assistants to recommend them to developers.

The PhantomRaven campaign turned this into industrial-scale malware distribution: 126 npm packages with over 86,000 installs, all using names that AI coding tools had hallucinated. For development teams, this means every npm install command suggested by an AI agent is a potential supply chain compromise if the package name was hallucinated.

Why This Matters for Development Teams

If your product surfaces AI-generated content to users — search results, recommendations, chatbot responses, documentation — you are potentially serving hallucinated URLs that lead to malicious infrastructure. This isn’t a hypothetical risk; it’s happening at scale right now.

The implications cut across several layers:

1. AI Output Validation

Every URL generated by an LLM must be treated as untrusted input. Before displaying any AI-generated link to a user, verify that the domain exists, resolves correctly, and isn’t flagged by threat intelligence feeds. This is table stakes for any production AI integration.

2. Supply Chain Hygiene

If your developers use AI coding assistants (and in 2026, they almost certainly do), audit every package suggestion before installation. Use lockfiles, pin versions, verify package provenance through Trusted Publishing, and consider running npm audit or equivalent before integrating any AI-suggested dependency.

3. Brand Protection

If you operate a recognisable brand, proactively prompt LLMs with your brand name and catalogue the phantom domains they generate. Register the most plausible ones defensively, or at minimum monitor them for malicious registration. Unit 42’s research showed that security teams can often identify phantom domains weeks before attackers register them.

4. Content Security Policy

Implement strict Content Security Policy headers that limit which domains your application can load resources from. If your chatbot or AI feature is rendering links, ensure you have URL allowlisting in place rather than blindly passing through whatever the model generates.

The Defence Advantage: Predictable Hallucinations

There’s a silver lining in the consistency of LLM hallucinations. Because models tend to hallucinate the same domains repeatedly, defenders can map the phantom domain landscape for their brand before attackers act. Unit 42 flagged one hallucinated postal-service domain a full 51 days before an attacker registered it.

This creates a genuine window for proactive defence — something rarely available in cybersecurity. Teams can:

  • Catalogue phantom domains by systematically prompting major LLMs with brand-related queries
  • Set up domain monitoring alerts for new registrations matching hallucinated patterns
  • Defensively register the highest-risk phantom domains
  • Feed phantom domain lists into threat intelligence platforms and web filters

What This Means for Your AI Strategy

Phantom squatting isn’t a niche attack — it’s a natural consequence of deploying LLMs at scale without output verification. As AI becomes embedded in everything from customer support to developer tooling, the attack surface grows with every hallucinated URL that goes unchecked.

For businesses building AI-powered products, this is a design-time concern, not an afterthought. Your architecture needs to account for the fact that your AI will confidently recommend things that don’t exist — and that adversaries are watching for exactly that behaviour.

At REPTILEHAUS, we build AI integrations with security baked in from the architecture phase — output validation, supply chain controls, and threat-aware design patterns. If your team is shipping AI features and hasn’t considered how hallucinated outputs could be weaponised against your users, get in touch. This is a problem that gets harder to fix retroactively.

📷 Photo by FlyD on Unsplash