Cybersecurity researchers at Palo Alto Networks' Unit 42 have identified a novel threat called "phantom squatting," where attackers register non-existent web domains that large language models (LLMs) mistakenly generate. These malicious domains are then used to host phishing pages, exploiting the inherent trust users place in links provided by AI tools and bypassing traditional security measures designed to detect known threats. The research, published on July 1, 2026, reveals that hundreds of thousands of such domains are currently available for exploitation, posing a significant risk to the software supply chain.
AI-Generated Domains Fuel Next-Gen Phishing Attacks
A new cybersecurity threat, dubbed "phantom squatting," is leveraging the inherent tendency of artificial intelligence models to invent plausible-sounding but non-existent web addresses. Attackers are actively registering these AI-hallucinated domains, transforming them into sophisticated phishing platforms that exploit user trust in generative AI tools. This emerging vector presents a significant challenge to existing threat detection mechanisms, as these newly created domains often lack any prior malicious reputation.
Unit 42 Uncovers Widespread Vulnerability
The term "phantom squatting" was coined by Palo Alto Networks' Unit 42, whose recent research highlights the scale of this problem. Their investigation involved querying two distinct large language models (LLMs) with 685,339 questions related to 913 prominent brands across various sectors, including technology, finance, and healthcare. This extensive analysis generated 2.1 million unique links. Alarmingly, Unit 42 found that 13,229 of these links were already associated with known malicious activity. More critically, approximately 250,000 of the invented domains were unregistered, creating a vast pool of potential targets for malicious actors to claim. For a deeper understanding of how AI models can generate inaccurate information, refer to resources on AI hallucinations.
The Mechanics of Misplaced Trust
The effectiveness of phantom squatting stems from a critical vulnerability: the trust placed in AI-generated information. Developers and users increasingly rely on AI assistants for information, including web links. When an LLM fabricates a domain that does not yet exist, the first party to register that domain inherits all of that misplaced trust. This allows attackers to establish credible-looking phishing sites without needing to send deceptive emails or run malicious advertisements.
"Unit 42 researchers found that large language models (LLMs) consistently hallucinate web domains for legitimate brands. Adversaries are actively weaponizing this vector by registering these nonexistent domains to intercept traffic generated by AI systems." — Palo Alto Networks Unit 42 Report, July 1, 2026
Several factors exacerbate the threat posed by phantom squatting:
- Evasion of Reputation Systems: Newly registered domains typically have no established reputation. Traditional security tools like blocklists and threat intelligence feeds require time for a site to exhibit malicious behavior before flagging it. Phantom domains bypass these initial checks, appearing legitimate to security filters.
- Inherent LLM Behavior: The hallucinated domains are not derived from malicious entries in the LLMs' training data. Instead, they originate from the models' own linguistic patterns, making this a fundamental characteristic of how LLMs operate.
- Predictable Hallucinations: The patterns of domain hallucination are often consistent. Different LLMs can frequently invent the same fake domain for a given query, providing attackers with predictable targets to register. This phenomenon is termed "thermal hallucination persistence" and "cross-model hallucination consensus" by Unit 42.
What This Means
The rise of phantom squatting signifies an evolution in cyberattack methodologies, shifting from traditional social engineering to exploiting the architectural nuances of generative AI. This development means that organizations must rethink their domain monitoring and threat intelligence strategies. Relying solely on reactive blocklists or reputation scores is no longer sufficient, as attackers can pre-emptively register domains that appear trustworthy due to AI endorsement. The proactive monitoring efforts by Unit 42, which predicted adversary domain registrations up to 51 days in advance, underscore the need for advanced predictive analytics in cybersecurity. This threat also highlights the broader implications of cybersquatting, where malicious actors register domains similar to legitimate brands for illicit gain.
Key Points
- Palo Alto Networks' Unit 42 identified "phantom squatting" on July 1, 2026, where attackers register AI-hallucinated domains for phishing.
- Their research found that two AI models generated 2.1 million links, with 13,229 already malicious and approximately 250,000 unregistered domains available for exploitation.
- Attackers exploit user trust in AI-generated links, bypassing traditional security measures that rely on established domain reputations.
- The hallucinated domains stem from LLMs' inherent language patterns, and these patterns are often consistent across different models.
- Unit 42 proactively detected adversary registrations of these domains with lead times of up to 51 days.
The Bottom Line
Phantom squatting represents a sophisticated new frontier in cybercrime, leveraging the very technology designed to assist users. Professionals and developers must exercise increased vigilance when interacting with AI-generated links, understanding that even a seemingly legitimate domain could be a trap. Organizations should implement advanced threat intelligence solutions capable of predicting and blocking these emergent phantom domains, moving beyond reactive defenses to safeguard their digital supply chains and user trust. This threat underscores the critical need for continuous adaptation in cybersecurity strategies.
