Cybersecurity researchers have uncovered a new attack technique called Phantom Squatting, where cybercriminals take advantage of web addresses that artificial intelligence (AI) models mistakenly generate. Instead of relying on fake domains that closely resemble real ones, attackers register domains that never actually existed but are repeatedly suggested by AI systems. Researchers say this creates a new security risk because users and automated AI tools may trust these AI-generated links without realizing they are fake.

The research, published by Palo Alto Networks’ Unit 42, examined how often large language models generate incorrect website addresses for well-known organizations. During the study, researchers analyzed 913 global brands by running 685,339 AI queries, which produced nearly 2.1 million URLs. Among these, they identified more than 13,229 malicious URLs and discovered around 250,000 AI-generated domains that remain unregistered and could still be claimed by attackers in the future.
Researchers explained that attackers can monitor AI-generated responses and register these nonexistent domains before anyone else does. Once the domains are under their control, they can host phishing pages, malware downloads, or fake login portals. Since these websites are recommended by AI rather than appearing through traditional phishing emails or advertisements, victims are more likely to trust them and visit without questioning their legitimacy.

One of the biggest concerns is that newly registered phantom domains start with a clean reputation. Security products such as reputation services, blocklists, and threat intelligence feeds usually require time to identify malicious websites. Until suspicious activity is detected, these domains can bypass many existing security checks. This gives attackers an opportunity to launch phishing campaigns or distribute malware before security systems recognize the threat.
The threat becomes even more serious as organizations increasingly use AI agents to automate tasks. Many AI-powered systems now retrieve documentation, access APIs, download files, or interact with online services without human involvement. If an AI agent generates and follows a hallucinated domain controlled by an attacker, it could unknowingly download malicious content, expose sensitive information, or introduce compromised resources into software development and business workflows.

Researchers also highlighted the growing risk for software developers who rely on AI coding assistants. These tools often generate website links for API documentation, package repositories, webhook endpoints, and other development resources. If the AI recommends a hallucinated domain that has already been registered by a cybercriminal, developers could unknowingly access malicious infrastructure. The study notes that this expands earlier “slopsquatting” attacks from fake software packages to entire web domains.
According to the researchers, the problem is difficult to eliminate because it stems from how large language models naturally generate text. AI systems can confidently produce believable but incorrect web addresses based on language patterns learned during training. As AI becomes more deeply integrated into everyday work and autonomous systems continue to grow, the number of potential hallucinated domains is also expected to increase, giving attackers more opportunities to exploit this behavior.

To reduce the risk, Unit 42 recommends that organizations proactively identify AI-hallucinated domains before attackers register them. Monitoring these domains, verifying AI-generated links, and strengthening AI security practices can help stop attacks before they begin. The researchers believe that early detection is currently the strongest defense against Phantom Squatting, as this emerging threat targets the growing trust people and automated systems place in AI-generated information.
Stay alert, and keep your security measures updated!
Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news