Published
- 5 min read
By Allan D - Editor, AI Security Wire
Phantom Squatting: When AI Hallucinations Become Attacker Infrastructure
When a user asks an AI assistant for the official website of a brand, they expect a real address. If the model produces a hallucinated domain instead, and an attacker already registered that domain, the user lands on infrastructure that the AI itself built demand for. Unit 42 published research this week documenting exactly this attack class, which they call phantom squatting.
The core insight is not complicated, but the scale is. LLMs consistently produce the same plausible-but-fictitious URLs when asked about specific brands. The URLs sound right: they follow the expected format, they use recognisable brand syllables, they have plausible TLDs. But they do not exist. Or they did not, until someone registered them.
How the Research Was Conducted
Unit 42 ran 685,339 prompts across two LLM families, covering 913 global brands in tech, finance, healthcare, government, and e-commerce. The prompts were designed to elicit brand-related URLs in ways that mirror real user behaviour: asking for official download links, support pages, developer portals, login endpoints. The result was a dataset of 2.1 million AI-generated URLs.
From that dataset, 13,229 URLs were already flagged as malicious in threat intelligence feeds. That finding alone is significant: the models were directing users toward known-bad addresses with some regularity. But the more alarming number is the roughly 250,000 hallucinated domains that were unregistered and available. Those represent a menu of high-credibility attack infrastructure waiting to be claimed.
The Thermal Hallucination Persistence Concept
Not all hallucinated domains carry the same risk. Unit 42 introduced the concept of thermal hallucination persistence to differentiate them. Temperature in LLM generation controls randomness: at low temperature a model is more deterministic, at high temperature it produces more varied output. A domain that appears in model output at every temperature setting, regardless of how much variation is introduced, has high thermal persistence.
High-persistence domains are the priority targets. They indicate the model treats that address with near-factual confidence, which means victims receive it as a strong recommendation rather than one option among several. It also means multiple AI systems are likely hallucinating the same address simultaneously, concentrating user traffic toward it once registered.
The monitoring implication is practical: persistence scoring lets defenders prioritise which hallucinated domains to watch. You cannot register and protect 250,000 domains. You can prioritise the ones with the highest persistence scores for the brands you care about.
Montana Empire: A Confirmed Case
Unit 42 documented a confirmed in-the-wild exploitation that illustrates the full kill chain. On March 8, 2026, their pipeline flagged a hallucinated domain closely matching the official website of a national postal service e-commerce operation. The model consistently produced this domain when users asked about the postal service’s online shopping and delivery tracking.
Twenty-three days later, on March 31, attackers registered the domain. They deployed the Montana Empire phishing kit, which scraped the legitimate postal service storefront in real time to produce a pixel-accurate replica. Visitors who followed AI-generated links were presented with a convincing clone that collected card numbers, bank-transfer credentials, and national IDs.
The 23-day gap between Unit 42’s detection and attacker registration is notable. Their monitoring pipeline identified the domain as a high-risk target three weeks before anyone acted on it. Across the full dataset, proactive monitoring yielded detections 18 to 51 days ahead of adversary registration. That window is actionable if the brand protection team is watching.
Why This Is Not a Conventional Phishing Problem
Conventional phishing uses look-alike domains: small typos, homoglyphs, added hyphens, swapped TLDs. Security teams have tooling for this. Domain monitoring services flag new registrations that resemble protected brands. Blocklists accumulate history on known-bad domains.
Phantom squatting breaks both defences. The hallucinated domains are newly registered with no prior history. They pass reputation checks because they have never been used for anything. Blocklist-based detection cannot catch them at registration time, because there is nothing on the blocklist yet. By the time victims are reaching the phishing kit and telemetry accumulates, the phishing campaign may already be weeks old.
The traffic driver is also different. Conventional phishing requires the attacker to reach victims through email, SMS, or ads. Phantom squatting outsources that step to AI systems that users already trust. The AI sends the traffic voluntarily as part of answering a legitimate question.
Unit 42 notes that this attack vector “exploits a structural property of LLM architectures that remains inherently unpatchable.” The hallucination behaviour cannot be eliminated without destroying the fluency that makes these models useful.
What Defenders Can Do
The actionable mitigations are outside the model rather than in it.
Proactive hallucination monitoring. Brands can run structured prompts against major LLMs to build inventories of domains their models associate with them, including hallucinated ones. The addresses with high thermal persistence are the priority registration or monitoring targets.
Brand protection tuned to AI output. Existing brand protection vendors are adding AI hallucination scanning to their services. The methodology is the same as what Unit 42 demonstrated: systematic probing, persistence scoring, and automated alerts when flagged domains appear in new registrations or certificate transparency logs.
AI product-level URL verification. AI assistants that generate URLs could in principle validate those URLs against known-good registries before presenting them to users. This is technically feasible for the major AI platforms and reduces the demand that reaches hallucinated domains. Adoption is so far limited.
User awareness. For end users and enterprise AI policies: AI-generated URLs should be treated as suggestions, not verified links. Typing a brand name into a search engine or navigating directly from a bookmark remains safer than following AI-produced web addresses for anything involving authentication or financial data.
The phantom squatting research from Unit 42 is a clear demonstration that LLM hallucination has moved from a reliability problem to an infrastructure threat. The model’s confident fiction becomes the attacker’s working address book.
References
Frequently Asked Questions
- How is phantom squatting different from slopsquatting?
- Slopsquatting targets hallucinated package names in AI-generated code. Phantom squatting targets hallucinated web domains in AI responses about real brands. Both exploit LLM hallucination, but the attack surface and victim profile are different: slopsquatting hits developers installing packages, phantom squatting hits end users visiting brand websites on AI recommendations.
- What is thermal hallucination persistence and why does it matter?
- A domain with thermal hallucination persistence is one that an LLM generates consistently regardless of the model's temperature setting. High-consistency hallucinations indicate the model treats that address as near-factual, making it a high-value target: victims are more likely to receive the fake URL as a confident recommendation, and the domain has predictable demand from multiple AI systems simultaneously.
- Can this be patched at the model level?
- Unit 42's assessment is that it cannot. The attack exploits a structural property of how LLMs generate plausible-sounding text, not a configuration error or safety gap. Mitigations sit outside the model: proactive monitoring of high-persistence hallucinated domains, brand protection services tuned to AI output patterns, and user-facing warnings in AI products when generated URLs cannot be verified against known-good registries.