Threat Intelligence • Malware

Phantom Squatting: How Hackers Are Turning AI's Biggest Flaw into a Cyberattack

Something odd happened during a security research exercise earlier this year.

By CyberCube Team 5 min read Threat Intelligence & Malware
Phantom Squatting AI Cyberattack

Something odd happened during a security research exercise earlier this year.

A team at cybersecurity company was testing how often AI tools make up website addresses. Standard stuff — ask the model for a link, see if it invents something that doesn't exist. What they found wasn't just interesting. It was a working attack vector that criminals had already figured out.

They called it phantom squatting. And once you understand how it works, you'll never look at an AI-generated link the same way again.

The Problem Started with Something We All Brushed Off

Every AI user has run into this. You ask your chatbot for a link, maybe the documentation page for a software tool, maybe a company's customer portal, maybe a government service website and it gives you one with complete confidence. You click it. It doesn't exist. You sigh, Google it yourself and move on.

For most people that's a minor annoyance. A quirk. The AI was "hallucinating" again.

Here's what most people didn't think about: if an AI makes up the same fake domain every time someone asks a similar question, that fake domain becomes predictable. And predictable means exploitable.

Attackers figured this out. They started querying AI tools the same way regular users do, but instead of ignoring the fake URLs — they wrote them down. Then they registered them.

That's phantom squatting. The domain doesn't exist, the AI invents it, the criminal buys it, and then waits for someone to click.

What the Research Actually Found

Unit 42 didn't just spot this happening in the wild. They ran a proper study to understand the scale of it.

They sent close to 685,000 queries across two different AI models, asking about 913 well-known global companies. The models generated over 2.1 million URLs in total.

Of those, around 250,000 were unregistered hallucinated domains — addresses the AI made up that nobody had claimed yet. A quarter million potential traps just sitting there, unclaimed.

And 13,229 of the URLs generated had already been confirmed as malicious. Meaning criminals had already found them, registered them, and weaponized them before the researchers even ran the study.

The breakdown of what those malicious domains were used for: 67% delivered malware. 16% were credential-harvesting phishing pages.

The thing that makes this particularly uncomfortable is that AI models hallucinate the same domains consistently. They're not generating random garbage — they're generating plausible-sounding addresses based on how company names and domain patterns work. Ask the same model the same question ten times, you often get the same fake URL ten times. That consistency is exactly what makes this scalable as an attack.

Why Your Security Tools Probably Won't Catch This

Traditional phishing attacks leave a paper trail. Threat intelligence services track suspicious registrations. Reputation filters flag domains with known bad history.

Phantom squatting walks straight past all of that.

A freshly registered hallucinated domain has no history. It's never been used in a campaign before. No one has reported it. No blacklist has flagged it. It's a clean slate and that cleanliness is its disguise.

Most security systems operate on the assumption that bad domains have been bad before. That assumption breaks completely when the attack uses a brand new domain every time.

The deeper problem is that AI hallucination isn't a bug that's going to get patched. It's a structural property of how language models work — they generate plausible text, and sometimes plausible text includes made-up website addresses. That's not going to change. Which means phantom squatting as a technique isn't going away either.

Phantom squatting — how the attack unfolds

Phantom Squatting

Who's Getting Targeted

Any organization that users regularly ask AI tools about is a potential target. But some sectors attract more of this than others.

Banks and financial platforms are obvious targets. People ask AI assistants to help them find net banking portals, locate customer support pages, or understand fee structures all the time. A convincing fake login page for a major bank is immediately monetizable.

E-commerce and logistics is another high-risk area — the postal service case above isn't a coincidence. Tracking packages, finding marketplace links, checking shipping rates — these are exactly the kinds of queries that produce hallucinated domains.

Healthcare platforms are at risk for the same reason. Patients and staff asking AI tools for hospital portal links or telehealth login pages create opportunities for stolen credentials on services that hold genuinely sensitive data.

And developers are particularly exposed. AI coding assistants are constantly generating URLs for documentation, dependencies, and API references. When those references point to hallucinated domains, you're looking at a supply chain problem, not just a phishing problem — malicious packages, fake documentation sites, poisoned install commands.

What You Can Do Right Now

There's no single fix. But there are things that actually move the needle.

If you're running an organization, start by figuring out what AI models are hallucinating about your brand. Run your company name, product names, and common search patterns through a few AI tools and collect the fake URLs they generate. Set up domain monitoring to watch for anyone registering those strings. If you find specific phantom domains being generated consistently, consider registering them yourselves, or at minimum blocking them at your DNS resolver level.

Close your domain gaps. Many companies have product variants, old campaign domains, or regional variations they never bothered to register. Those are easy targets. Register them before someone else does.

For individuals, the advice is simple: don't trust a link because an AI gave it to you. If an AI assistant hands you a URL for something sensitive — a bank login, a government portal, a payment page — don't click it directly. Search for the company independently, find their real homepage, and navigate from there. One extra step that can save a lot of damage.

Quick Reference: What You Need to Know

The attack Criminals register domains that AI tools hallucinate — before you click them
Why AI generates fake URLs Models predict plausible text, not verified facts
Why the same fake domain keeps appearing LLMs hallucinate consistently — same question, same fake URL
Scale found in research 250,000+ unregistered hallucinated domains; 13,229 already confirmed malicious
Real example Montana Empire phishing kit — deployed 23 days after researchers flagged the domain
Why security tools miss it New domains have zero threat history — they're invisible to reputation filters
For organizations Monitor AI outputs for your brand; watch domain registrations; close domain gaps
For individuals Verify AI-generated links independently before entering any credentials

The thing about phantom squatting is that it doesn't require any technical sophistication on the attacker's side. No malware development, no zero-day exploits, no complex infrastructure. You ask an AI a question, you register whatever domain it makes up, you wait. The AI does the research for you.

And on the other side, the people being targeted have no reason to suspect anything. The AI gave them the link. It looked right. They clicked.

That combination, trivially easy to execute, genuinely hard to spot — is what makes this worth taking seriously right now, before it becomes the background noise of every security operations team in the country.

Where We Come In

At CyberCube, we work with businesses across India to identify exactly this kind of emerging threat — before it reaches their users or their systems. Whether that's monitoring what AI tools are hallucinating about your brand, running VAPT assessments to close the gaps attackers look for, or building the kind of security posture that doesn't wait for something to go wrong before taking action.

Protect Your Brand from Phantom Squatting

We help businesses monitor AI-generated brand risks, identify suspicious domain activity, and close security gaps before attackers exploit them.

Talk to CyberCube