Phantom squatting: registering the web domains that LLMs hallucinate
Palo Alto's Unit 42 named 'phantom squatting' in late June 2026: attackers register the non-existent domains that models reliably invent, inheriting the trust users place in AI-suggested links.
What is this?
Phantom squatting is a supply-chain attack vector that Palo Alto Networks’ Unit 42 named in research published at the end of June 2026 (June 30, reported widely on July 1). The idea is short: large language models routinely invent web addresses that do not exist — plausible-looking portals, API endpoints, or corporate service URLs for a real brand — and an attacker who registers one of those invented domains inherits all the trust a user or an agent places in an AI-suggested link. No phishing email and no malicious ad are required; the recommendation arrives through a system the victim already trusts.
To measure the scale, Unit 42 asked two different LLMs 685,339 questions about 913 global brands across technology, finance, healthcare, government, and other sectors. The models produced roughly 2.1 million links. About 250,000 of those pointed to unregistered domains that anyone could claim, and more than 13,200 pointed to addresses that threat-intelligence feeds had already flagged as malicious.
How it works
The mechanism is a property of how the models generate text, not a bug in any one product. The invented domains were not memorized from training data — both models shipped before the real malicious sites existed — so the addresses come from the models’ own language patterns. Those patterns are consistent: different models frequently hallucinate the same fake domain for the same question, and turning up a model’s temperature produced more invented domains rather than fewer. Unit 42 describes the vector as exploiting “a structural property of LLM architectures that remains inherently unpatchable.”
What makes a claimed phantom domain hard to catch is its lack of history. Blocklists, reputation scores, and threat feeds generally need a site to misbehave for a while before they flag it. A freshly registered domain has no such record, so reputation-based filters have nothing to act on at the moment the trusted assistant is handing the link to the user or agent. It is the domain equivalent of slopsquatting — registering the fake package names AI coding tools invent — a pattern already turned into real malware, as in the PhantomRaven npm campaign.
Why it matters
Unit 42’s proactive monitoring caught attackers registering high-priority hallucinated domains 18 to 51 days after the researchers first identified them — a real window, but one that favors whoever moves first. In one documented case, a postal-service e-commerce domain was flagged as high-risk 23 days before an attacker registered it and stood up a phishing kit dubbed “Montana Empire” that cloned the real storefront and stole card numbers, bank-transfer details, and national ID data through a Telegram-based back end. Tellingly, leftover project files showed the operator had built the kit with an AI coding assistant — attacker and defender reached the same fake domain by asking an AI the same way. A second case gave defenders 51 days of lead time before the domain was wrapped in a pixel-perfect brand clone and used to push a malicious Android app.
The deeper concern is the shift from a person following bad advice to a system acting on it. As agents increasingly open links and fetch resources on their own, the point of failure moves from a human click to an autonomous action, and an agent has no instinct to hesitate the way a person might.
Defenses
- Never treat an AI-suggested URL as authoritative. Verify a domain against official documentation or an approved allowlist before you type a password into it or paste it into code. Treat model output as an unverified draft.
- Constrain agents from reaching arbitrary new domains. Prevent AI agents from automatically opening, downloading from, or connecting to model-generated links without an independent check, and limit the credentials and data those agents can touch.
- Monitor the domains your models predict. Because hallucinations are consistent, defenders can map which fake domains a model reliably produces for their brand and watch for registrations — often with weeks of warning — then pre-register or block the highest-risk names.
- Fold AI-generated identifiers into supply-chain review. Apply the same scrutiny to model-suggested endpoints and package names that you already apply to third-party dependencies.
Status
| Item | Value (Unit 42, June 30, 2026) |
|---|---|
| Brands analyzed | 913 |
| Prompts issued | 685,339 |
| Links generated | ~2.1 million |
| Unregistered hallucinated domains | ~250,000 |
| Already flagged malicious | >13,200 |
| Observed registration lead time | 18–51 days |
| Documented cases | ”Montana Empire” phishing kit; malicious Android app |
| Root cause | Structural LLM hallucination — no product patch |
Key dates: June 30, 2026 — Unit 42 publishes the phantom-squatting research. March 8, 2026 — a high-risk postal domain is predicted; March 31, 2026 — an attacker registers it for the “Montana Empire” kit.