Cybersecurity
Phantom Squatting Turns AI Hallucinations Into a New Phishing and Malware Surface

A new attack pattern called phantom squatting shows how quickly an AI quality problem can become an enterprise security problem. Large language models sometimes invent domains that do not exist. Attackers are now registering those invented domains first and using them for phishing pages, malware delivery and brand impersonation before defenders have any reputation data to work with.
The operational significance is simple: if a model recommends a link, many users, agents and developers treat it as implicitly trustworthy. That means a hallucinated URL can become a real attack surface with no phishing email, no typo from the user and no malicious ad in between. The model itself becomes the first referral source.
Why this is different from ordinary malicious domains
Unit 42 found that models can hallucinate the same domain patterns consistently, which gives attackers a predictable target list. In the reported research, more than two million links were generated across hundreds of thousands of prompts, over thirteen thousand were already known malicious, and roughly a quarter million invented domains were unregistered and available for abuse. That combination makes phantom squatting less like random model noise and more like a pre-positioning opportunity for adversaries.
- A freshly registered hallucinated domain starts with no negative reputation, so common filters have little context at first sight.
- Different models may invent the same fake destination for the same brand or use case, which makes attacker targeting easier.
- Developers and AI agents increasingly open, crawl or reuse model-supplied links automatically.
- The same trust problem can support phishing kits, malware delivery and cloned brand storefronts.
What security and AI platform teams should change first
1) Treat model-generated links as untrusted input
AI links should be handled the same way teams already handle user-submitted URLs or third-party content. Do not allow assistants, internal bots or coding agents to open or download from model-generated domains without a verification step. Canonical-domain checks, allowlists and browser isolation are much more useful here than blind convenience.
2) Monitor likely phantom domains before they are weaponized
Because hallucinations can be consistent, defenders can test the same brands and workflows against the models their organization uses, map the fake domains that recur, and watch for registrations. That turns a frustrating LLM behavior into an early-warning feed for brand abuse, phishing and malware hosting.
3) Reduce autonomous trust in agent workflows
Agentic systems that browse, enrich tickets, collect research or follow external references need tighter guardrails. Link validation, reputation checks, domain age checks and execution gates should sit between a model recommendation and any privileged action. Otherwise a hallucinated domain can become an automation-assisted compromise path.
Priority response checklist
| Link validation | Model-generated URLs can be fictional but still persuasive | Require canonical-domain verification or allowlist matching before users or agents follow AI-supplied links |
|---|---|---|
| Brand monitoring | Repeated hallucinations give attackers predictable targets | Continuously test high-value brands and services against your approved models and watch for domain registrations |
| Agent guardrails | Autonomous browsing can turn hallucinations into actions | Add browser isolation, domain-age checks and approval gates for external navigation or downloads |
| Threat detection | New domains may evade normal reputation-based screening | Correlate newly seen domains with brand impersonation patterns, hosting anomalies and user-reported AI links |
| User guidance | People over-trust links returned by AI assistants | Train teams to verify official domains before login, payment or code reuse |
Bottom line
Phantom squatting is a reminder that AI hallucinations are not only a reliability issue. In the wrong workflow, they become a supply path for fraud, credential theft and malware. Teams that treat AI-generated links as untrusted, monitor predictable phantom domains and limit agent autonomy will be much better prepared than teams that treat model output as a harmless draft.

