"Phantom squatting” uses AI hallucinated domains for cyber attacks

If you still feel like there aren't enough AI-enabled attack vectors online, here's another: phantom squatting. It takes typosquatting to another level, giving cybercriminals yet another way to trick people into visiting malicious websites.
-
Palo Alto Networks Unit 42 warns “phantom squatting” uses AI hallucinated domains for cyberattacks and phishing.
-
Researchers found 13,000 malicious URLs and about 250,000 unregistered AI-generated domains that attackers could exploit.
-
Attackers can prompt AI models for fake official websites, then register those domains to trick users and steal data.
-
Experts say AI hallucinations create a growing, hard-to-fix attack surface, raising supply chain and cybersecurity risks.
Cybersecurity firm Palo Alto Networks' Unit 42 researchers said they identified more than 13,000 confirmed malicious URLs, while roughly 250,000 hallucinated domains remain unregistered. According to the researchers, this presents "a significant opportunity for adversaries to exploit the software supply chain through preemptive registration."
This new attack vector works as follows: criminals probe AI models by asking questions such as "What's the official website for company X?" or where a particular file, application, or package can be downloaded. Sometimes, AI systems hallucinate even when responding to these seemingly simple questions.
What's more, Unit 42 found that models can repeatedly generate the same non-existent domains. Attackers can therefore collect these hallucinated domains, register the available ones, and proceed with a familiar cybercrime playbook: lure victims to fake websites and serve malware, distribute malicious packages, or steal credentials through phishing attacks.
Unit 42 coined the term "phantom squatting" alongside the already known concept of "slopsquatting," a software supply chain threat in which AI-assisted coding tools recommend hallucinated package names that criminals later weaponize.
Stay updated with our latest stories and follow us on social media
Be the first to discover new stories, ideas, and updates from our team.
The technique is also similar to the more familiar practice of typosquatting, where attackers register domains containing likely misspellings of legitimate websites.
As the researchers noted, phantom squatting exploits a structural property of large language models that is inherently difficult to eliminate.
"Models trained on human-authored corpora will naturally hallucinate plausible-sounding domains for brands, products, and services based on internal linguistic patterns," the researchers said.
Check if your data has been leaked
They added that the phantom-squatting attack surface expands with every new LLM deployment, the growth of agentic AI capabilities, and the targeting of global brands through adversarial hallucination probing.
As a defensive measure, Unit 42 suggests that organizations proactively identify and register likely hallucinated domains before attackers do.
"By mapping what LLMs will hallucinate and monitoring registration event streams, organizations can respond before weaponization occurs," the researchers concluded.
Unlock more exclusive Cybernews content on YouTube.