What Is Phantom Squatting?

When a large language model answers a question about a brand, a service, or a tool, it sometimes invents a domain that doesn’t exist. Not because it’s lying, exactly. Because its language patterns produce plausible-sounding URLs the same way they produce plausible-sounding sentences.
Phantom squatting is what happens next. An attacker identifies one of those invented domains, registers it first, and waits. When an AI tool points a user toward that address — developer, customer, agent, doesn’t matter — the attacker is already there.
No phishing email required. No malicious ad. Just a domain that an AI decided sounded right.
The Numbers Behind the Problem
Unit 42 ran a structured experiment: 685,339 questions, 913 well-known brands, two AI models. The models produced 2.1 million links.
Threat intelligence had already flagged 13,229 of those links as outright malicious. The models were handing out known-bad addresses without hesitation.
More alarming: roughly 250,000 of the invented domains had no owner yet. Each one is a ready-made target. Whoever registers it first inherits all the trust the AI has already assigned to it.
Why It Works So Well

A brand-new domain has no reputation. Blocklists need a site to misbehave before they flag it. Reputation scores need history. A freshly registered phantom domain has neither, so every filter that would normally catch a phishing site simply has nothing to act on.
By the time the threat feeds catch up, the victim has already clicked through — sent there by a tool they trusted.
Two details sharpen the problem considerably.
The hallucinations aren’t random. Both models in Unit 42’s study invented the same fake domains for the same questions, consistently, across different temperature settings. Turning up the “creativity” dial just produced more invented domains. The behavior is structural, not accidental. As Unit 42 put it, the vector “exploits a structural property of LLM architectures that remains inherently unpatchable.”
The fake domains predate the malicious sites. Both models shipped before the real phishing pages existed. The addresses aren’t surfacing from contaminated training data — they’re being generated fresh, from language patterns alone. Attacker and defender are reaching the same invented domain the same way: by asking an AI.
The Postal Service Phishing Kit
On March 8, 2026, Unit 42’s system predicted that AI models would consistently generate a domain resembling a national postal service’s online marketplace. Both models produced it at every temperature setting — a strong signal the models treated the fake site as fact.
Twenty-three days later, an attacker registered that exact domain and deployed a phishing kit called Montana Empire. It mirrored the real storefront in real time, harvesting card numbers, bank-transfer details, and national ID data. A Telegram bot let the operator manually approve victims’ one-time passcodes. Leftover project files revealed the kit had been built with an AI coding assistant.
Attacker and defender reached the same fake domain the same way.
The 51-Day Warning
In the second case, Unit 42 flagged a hallucinated postal-service domain a full 51 days before an attacker registered it. When the attacker arrived, they built a pixel-perfect brand clone — fake 4.8-star rating, a claim of over two million users — and used it to push a malicious Android app.
Other detected domains impersonated a major UAE bank already being abused for nearly a year, a European bank, and sports-betting platforms targeting users in Bangladesh.
This Has a Cousin: Slopsquatting
Phantom squatting isn’t operating in isolation. It’s the domain version of slopsquatting — where attackers register the fake software package names that AI coding tools invent.
That one is already a documented campaign. A large USENIX study found code-generating models routinely suggest package names that don’t exist. The PhantomRaven campaign turned exactly that behavior into malware hidden across 126 npm packages with more than 86,000 installs.
The pattern is the same in both cases: model output becomes input, and nobody checks it first.
The Bigger Shift Worth Naming
This lands in a world where brand-impersonation phishing is now a paid service. Kits like Lucid and Lighthouse have already stood up 17,500 fake domains targeting 316 brands across 74 countries.
AI doesn’t create that threat. It just makes the targeting easier, faster, and more scalable — because the models do the domain-guessing work for free, at volume, on demand.
Developers, agents, and security teams are all acting on AI-generated links and names before anyone verifies them. That’s the actual vulnerability. Not the hallucination itself — the trust placed in it.
What You Can Actually Do
Don’t trust a link because an AI gave it. Confirm the domain is the real, official one before you type a password or paste it into code. This sounds obvious. It isn’t practiced nearly enough.
Keep AI agents from auto-opening model-generated links. An agent has no instinct to hesitate. A human might pause at something that looks slightly off. An agent will not.
Treat model output as an unverified draft. Not an authority. Not a source. A starting point that needs a second look.
For security teams, the consistency of hallucinations is actually useful. Because models invent the same fake domains predictably, you can map which addresses a model is likely to produce for your brand and monitor for registration activity — often with weeks of warning before an attacker shows up.
The Real Race
Unit 42 frames the core question cleanly: do defenders or attackers reach these domains first?
Right now, attackers have the edge — because they’re paying attention to a threat vector that most organizations haven’t fully internalized yet. The hallucinations aren’t going away. The structural property that produces them isn’t patchable.
What is changeable is the assumption that AI-generated output is verified output. It isn’t. It never was. Phantom squatting is just the clearest proof yet that the gap between those two things has a price.
Comments (0) No comments yet
Want to join this discussion? Login or Register.
No comments yet. Be the first to share your thoughts!