Home/ Blog/ Security news/ Article
Blog · Security news

AI keeps inventing web addresses that do not exist. Attackers now buy them first.

Unit 42 found attackers registering the fake web domains AI models hallucinate, turning a chatbot's answer into a phishing and supply chain threat.

Field of faint translucent doorways with one solid glowing doorway at the center

When an AI assistant hands you a link, you tend to trust it. Attackers have found a way to abuse that trust before the link even exists. New research from Palo Alto Networks Unit 42 documents a technique it calls phantom squatting: adversaries register the fake web addresses that AI models invent, then wait for the model to send real people, and automated systems, straight to their infrastructure. The address never existed until an attacker bought it, which is exactly why your defenses do not see it arrive.

The mechanism is the same one behind a problem the software world already knows. When you ask a model for a package, a portal, or an API endpoint, it does not look anything up. It predicts a plausible-looking string from patterns in its training. Sometimes that string points at a real site. Often it points at a domain that has simply never been registered. Researchers have measured this for package names for over a year, coining slopsquatting for the case where attackers publish malware under the fake package names an AI keeps suggesting. Academic work found roughly one in five packages recommended by AI coding tools were entirely fabricated. Unit 42's contribution is to move that logic from package registries to the open web.

Phantom squatting by the numbers (Unit 42)~250,000phantom domainsunregistered addresses two AI models invented, free for attackers to buy913brands probed685,339 prompts produced 2.1 million unique URLs18 to 51days of attacker lead timefrom a hallucinated domain appearing to a live phishing site
Source: Palo Alto Networks Unit 42, phantom-domain study, June 2026.

What the researchers measured

Unit 42 probed two production AI models with 685,339 prompts spanning 913 global brands, and collected 2.1 million unique URLs the models produced. A large share pointed nowhere real: one model generated non-existent domains 44.6 percent of the time, the other 27.5 percent. After filtering, the team counted roughly 250,000 unique unregistered domains, real addresses that an attacker could buy for a few dollars each and stand up as malicious infrastructure. Of the URLs that were already live, 13,229 (0.61 percent) were confirmed malicious and another 41,313 (1.90 percent) were high-risk. Among the confirmed-malicious set, Unit 42 attributes 67.2 percent to malware distribution and 16.2 percent to phishing.

Every figure above is Unit 42's, drawn from two specific models over one measurement window. The point is not the exact percentages. It is the order of magnitude: a quarter of a million fake but plausible addresses, tied to real brands, sitting unclaimed and waiting.

Why a domain nobody has registered beats your blocklist

Reputation is the quiet assumption under most web filtering. A URL filter, a secure web gateway, and a threat-intelligence feed all decide whether to block a site largely on its history: how old it is, who else flagged it, what it has hosted before. A phantom domain has no history. The moment an attacker registers it, it is a clean address with zero prior signals, and it stays clean until someone gets hurt and reports it. Unit 42 calls this the zero-reputation bypass, and it is the whole game. Your protective layer is structurally blind during the exact window that matters.

That reframes phantom squatting as a detection problem wearing a domain costume. You cannot block your way out of it after the fact, because "after the fact" is too late by definition. The defensible move is to watch for the registration of addresses that resemble your brand, and to treat any URL a model emits as untrusted input rather than a fact.

Predictable is the weapon, not random

Classic typosquatting bets on human error: an attacker registers gooogle.com and hopes a fraction of people fat-finger the third "o". Phantom squatting removes the guessing. The model reliably, repeatably tells the attacker which fake domains it will recommend, and it says the same thing to everyone who asks. A hallucination that reproduces across sessions and users is not noise; it is a targeting list. The attacker does not have to predict what a person mistypes. The AI publishes the answer for them, at scale, one brand at a time.

This is why the same trust shift we have flagged in other AI-agent stories keeps producing new attack surface. We wrote about prompt injection turning an AI assistant into a delivery path, and about AI coding agents running commands a human would have caught. Phantom squatting is the same failure from a different angle: the model is confidently authoritative about something it never verified, and a human or a pipeline acts on it.

Agentic AI is the accelerant

A person who lands on a suspicious site has a chance to notice the address looks off. An autonomous agent does not. Give an AI agent a task that involves fetching a documentation page, calling an API, or resolving a vendor portal, and it will follow the URL the model produced without a second thought. There is no human in the loop to see that the domain is one character of plausible fiction. As agents move into build pipelines and production workflows, phantom squatting scales from a phishing nuisance into a supply chain compromise, the same way a poisoned dependency does. This is the connective thread with package-level supply chain attacks: in both cases something trusted quietly points at attacker-controlled code.

The window is real, and it has already been used

Unit 42 did not stop at theory. It documents live cases where attackers weaponized hallucinated domains against real brands, and measures the lag from a phantom domain first appearing in model output to a working malicious site going live. That lag ran 18 to 51 days across the cases it tracked, a metric the team calls the adversarial exploitation window (AEW). In one, a postal-service e-commerce brand's hallucinated domain was registered weeks later and dressed up as a phishing kit, complete with a live scraper of the real storefront and a Telegram-based command-and-control (C2) channel for stolen credentials. In another, a fake address tied to a national postal service turned into a pixel-accurate clone that pushed a malicious Android app. Banking and retail brands appear in the same set.

The AEW cuts both ways. It is how long an attacker waits, but it is also your budget. If you can learn which phantom domains a model emits for your brand, you have weeks, not minutes, to get ahead of registration.

Close the window before the domain goes live

Phantom squatting does not have a patch, because there is no single vulnerable product. It is a property of how models generate text. Defense is about narrowing the window and refusing to trust unverified output.

  • Treat model-generated URLs as untrusted. In any agentic workflow, do not let an agent auto-follow a link the model produced. Resolve it against an allowlist of known-good domains, or require the address to have real registration history before a pipeline touches it.

  • Map your own phantom surface. Probe the AI assistants your customers actually use with prompts about your brand, products, and support portals, and record the non-existent domains they suggest. Those are your watchlist candidates, and you can build them before an attacker does.

  • Monitor registration streams for brand-adjacent domains. Newly registered domains that echo your brand deserve a look the day they appear, not the day a customer reports a scam. The zero-reputation window is precisely when reputation tools cannot help you.

  • Hunt for the tells of a live clone. A phishing kit that scrapes your storefront in real time, or a fake app signed by an unknown developer, leaves indicators. Watch for outbound traffic to freshly registered look-alikes and for brand assets loading from domains you do not own.

The uncomfortable part of this research is that it does not describe a bug that gets fixed and forgotten. As long as models answer confidently without checking, they will keep manufacturing plausible addresses out of thin air, and someone will keep buying them. The defenders who come out ahead are the ones who stop treating an AI's output as a source of truth and start treating it as one more untrusted input.

Topics

Frequently asked questions

What is phantom squatting?

Phantom squatting is registering the fake web domains that AI models hallucinate. Because models predict plausible URLs without checking they exist, attackers buy the non-existent addresses the AI keeps suggesting, then wait for the model to send real users and automated agents to their malicious site.

How is phantom squatting different from typosquatting?

Typosquatting relies on human error, registering a misspelling and hoping people fat-finger it. Phantom squatting relies on AI behavior: the model reliably and repeatably suggests the same fake domain to everyone, giving attackers a predictable targeting list rather than a gamble on mistyping.

Why do standard URL filters miss phantom domains?

Most web filtering leans on reputation, a domain's age, history, and prior flags. A freshly registered phantom domain has none of that. Unit 42 calls this the zero-reputation bypass: the address stays clean in threat feeds until someone is harmed and reports it, which is too late.

How does phantom squatting threaten AI agents specifically?

Autonomous agents follow the URLs a model produces without a human to notice the address looks wrong. An agent fetching docs, calling an API, or resolving a portal can be steered to attacker infrastructure, turning a phishing trick into a software supply chain compromise inside pipelines and production workflows.

What can defenders do about phantom squatting?

There is no patch, since it stems from how models generate text. Treat model-generated URLs as untrusted, resolve them against allowlists, probe AI assistants to learn which fake domains they suggest for your brand, and monitor domain registration streams for brand-adjacent names before attackers register them.

Ready to meet the Guardians?

Deploys fast - agentless for monitoring and cloud, a lightweight agent for deep endpoint security. Just Suriq, standing watch.