Cybercriminals are exploiting a new technique known as ‘phantom squatting,’ where they register and weaponize web domains fabricated by large language models (LLMs). This method leverages the tendency of AI models to generate plausible yet nonexistent web addresses, which attackers then use to host phishing sites and distribute malware.
LLMs, such as those used in AI assistants and development tools, often produce web links that appear legitimate but do not correspond to actual domains. When these AI-generated links are presented to users or integrated into automated systems, they can be mistakenly trusted. Cybercriminals capitalize on this by registering these fabricated domains before others do, thereby inheriting the misplaced trust associated with them.
Research conducted by cybersecurity firm Unit 42 involved querying two AI models with over 685,000 questions related to 913 well-known brands across various sectors, including technology, finance, healthcare, and government. The models generated approximately 2.1 million links, among which 13,229 were identified as malicious. Additionally, around 250,000 of these AI-invented domains were unregistered at the time, presenting opportunities for attackers to claim and exploit them.
Mechanics of Phantom Squatting
The effectiveness of phantom squatting lies in the inherent trust users place in AI-generated content. Newly registered domains lack historical data, making it challenging for security systems to flag them as malicious. This gap allows attackers to deploy phishing sites that can evade detection until significant harm has occurred.
Notably, the fabricated domains are not derived from the AI models’ training data but are products of the models’ language generation capabilities. This consistency means that different AI models may produce the same fictitious domain for similar queries, enabling attackers to predict and preemptively register these domains.
Real-World Incidents
Unit 42’s research highlighted specific instances of phantom squatting. In one case, on March 8, 2026, their system predicted that AI models would generate a domain mimicking a national postal service’s online marketplace. Both models consistently produced this fictitious domain. By March 31, an attacker had registered the domain and launched a phishing campaign using a kit named Montana Empire, which replicated the legitimate site in real-time to steal sensitive information, including credit card details and national identification data.
Another incident involved a hallucinated postal-service domain flagged by Unit 42 51 days before an attacker registered it. The attacker created a convincing brand clone, complete with a fake 4.8-star rating and claims of over two million users, to distribute a malicious Android application.
Additional cases included domains impersonating a major UAE bank and sports-betting sites targeting users in Bangladesh, demonstrating the widespread applicability of this attack vector.
Comparisons to Previous Techniques
Phantom squatting is analogous to ‘slopsquatting,’ where attackers register non-existent software package names suggested by AI coding tools. This method has been exploited in campaigns like PhantomRaven, which embedded malware in numerous npm packages, leading to tens of thousands of installations.
The broader implication is that AI-generated outputs are increasingly being used as inputs in various systems. This trend underscores the need for vigilance, as unverified AI-generated content can introduce significant security vulnerabilities.
Mitigation Strategies
To counteract phantom squatting, security teams can proactively identify and monitor potential AI-generated domains, often gaining weeks of advance notice before they are exploited. General users and organizations should adopt the following practices:
- Verify the authenticity of links provided by AI tools before interacting with them or entering sensitive information.
- Implement safeguards to prevent AI agents from automatically accessing or downloading content from AI-generated links without human oversight.
- Treat AI-generated content as preliminary drafts requiring verification, rather than authoritative sources.
As AI continues to integrate into various facets of technology and daily life, the emergence of threats like phantom squatting highlights the importance of maintaining a critical approach to AI-generated information. Ensuring robust verification processes and fostering a culture of skepticism towards unverified AI outputs are essential steps in mitigating these evolving cyber threats.