
A large language model keeps inventing web addresses that don’t exist. The attackers began buying these fictitious domains before others and hosting phishing pages there to catch the traffic directed by their AI tools.
Palo Alto Networks’ Unit 42 calls the trick phantom squatand that new study shows it’s already happening in the wild.
The reason it’s important is trust. Developers and AI assistants increasingly treat links returned by models as real. If your model invents a domain that doesn’t exist yet, the first person to register it will inherit all that false trust, and you don’t need phishing emails or malicious advertising.
To measure the problem, Unit 42 asked two AI models 685,339 questions about 913 well-known brands across technology, finance, healthcare, government, gambling, and other sectors.
The model generated 2.1 million links. Threat Intelligence has already flagged 13,229 of these as fully malicious, meaning the AI was distributing known bad addresses. Approximately 250,000 invented domains do not yet have an owner, and the first person to register can quickly become a target.
How the phantom squat works
The attack works because the new domain has no reputation. Blocklists, threat feeds, and reputation scores all require a site to be misbehaving for a while before being flagged.
Newly registered phantom domains have no such record, so these filters have nothing to flag. By the time they caught up, the victim had already been sent to the site by a tool they trusted.
Two details make matters worse. The fake domain was not present in the training data. Both models were shipped before real malicious sites existed, so the addresses come from the models’ own language patterns rather than from memory. And those patterns are consistent.
Different models often create the same fake domain for the same question, making it easier to guess the attacker’s next target. Increasing the model’s “creativity” setting only produced more inventive areas. As the Unit 42 researchers put it, this vector “takes advantage of the structural properties of the LLM architecture that remain inherently unpatchable.”
Two cases observed
Complete loops are visible in two cases. On March 8, 2026, Unit 42’s system predicted that an AI model would invent a domain similar to the National Postal Service’s online marketplace. Both models produced it at every temperature setting. This is a strong indicator that you are treating a fake site as fact.
Twenty-three days later, on March 31, the attackers registered that exact domain and launched a phishing kit named Montana Empire. The kit was copied in real time from the actual storefront. Card numbers, bank transfer details and national ID data were stolen.

Telegram bots allow operators to manually approve victims’ one-time passcodes. As a result, the project files and session logs left behind showed that the perpetrator used an AI coding assistant to build the kit. Attackers and defenders used the same method to reach the same fake domain by relying on AI.
In the second case, Unit 42 flagged a hallucinated Postal Service domain a full 51 days before the attacker registered it. The attackers then wrapped it in a pixel-perfect brand clone, added a fake 4.8-star rating and over 2 million users, and used it to push a malicious Android app.
Other domains detected impersonated a major UAE bank, a European bank, and a sports betting site targeting users in Bangladesh, which the attackers had been exploiting for nearly a year.
Old tricks and new targets
Phantom Squat is the domain version of. squatthe attacker registers a fake software package name created by an AI coding tool. That’s not a hypothesis.
USENIX’s extensive research found that code generation models routinely suggested non-existent package names, and the PhantomRaven campaign turned that very behavior into malware hidden in 126 npm packages that were installed over 86,000 times.
This represents a larger change, where the output of the model becomes the input. Developers, agents, and security teams can act on AI-generated links and names before anyone examines them, and AI continues to reduce the time defenders have to respond.
It also hits a world where brand impersonation phishing is a paid service, using kits like Lucid and Lighthouse to counter 17,500 fake domains against 316 brands in 74 countries.
what to do
Because the models consistently exhibit hallucinations, security teams can map the fake domains they may generate, monitor who registers them, and often issue weeks of warnings. For others, the actual steps are simple.
- Don’t trust a link just because the AI gives it to you. Before entering your password or pasting your code, make sure the domain is genuine and official.
- Prevents the AI agent from automatically opening or downloading model generation links without checking. Agents don’t have the instinct to hesitate like humans do.
- Treat anything written by a model as an unverified draft, not as an authority.
That window is open and whoever moves first will be rewarded. As Unit 42 frames it, the real question is simply who gets to these domains faster: the defender or the attacker.
