Unit 42 Uncovers New Supply Chain Threat as Attackers Register AI-Invented Domains

Phantom Squatting: How Attackers Are Weaponising AI’s Own Hallucinations to Hijack Trust

The420 Web Correspondent
6 Min Read

Phantom squatting is a deceptive cyberattack technique that targets organisations, software developers, and internet users by exploiting overlooked or unregistered digital domains. Though less well known than phishing or ransomware, it has emerged as a significant cybersecurity concern due to its potential to facilitate data theft, malware distribution, and supply chain attacks.

The mechanism is unusual in that the vulnerability does not originate from a coding flaw or a leaked credential, but from a structural quirk of large language models themselves. According to Unit 42 researchers, LLMs consistently hallucinate web domains for legitimate brands, generating plausible but entirely fictitious URLs when asked about a company’s services. Adversaries have begun actively weaponising this tendency by registering these nonexistent domains before anyone else does, positioning themselves to intercept traffic that AI systems unknowingly send their way.

The logic extends a pattern security researchers had already identified in software development, known as slopsquatting, where AI coding assistants frequently invent software package names that do not exist in any legitimate registry, and attackers register those fictitious package names to distribute malicious code. Phantom squatting simply extends that same adversarial logic from software packages to entire web domains, whether for a banking portal, a benefits website, or a corporate service page.

The Scale of the Problem, By the Numbers

Unit 42’s research quantified the threat with considerable precision. Researchers systematically probed two distinct AI model families across 685,339 adversarial prompts covering 913 well-known global brands spanning technology, finance, healthcare, government, and gambling sectors. The exercise produced a corpus of 2.1 million URLs.

Of those, 13,229 were confirmed malicious through threat intelligence and active crawling, meaning AI systems were, in effect, handing users addresses already known to be dangerous. A further 41,313 were flagged as high risk. Roughly 809,455 of the generated URLs resolved to non-existent domains, which collapsed into approximately 250,000 unique phantom domains still available for registration, representing a substantial pool of exploitable digital real estate that attackers could claim at any time. Malware delivery accounted for 67.2 per cent of confirmed threats, with phishing making up 16.2 per cent.

Perhaps most striking is the predictive dimension of the research. Unit 42’s monitoring system was able to forecast which hallucinated domains attackers would register between 18 and 51 days before the registration actually occurred, evidence that models reliably generate the same fictitious domains repeatedly, giving attackers a remarkably stable and predictable target list to work from.

The Cases That Prove the Threat Is Already Live

This is not a theoretical risk. In one documented case researchers dubbed Montana Empire, Unit 42’s system flagged a hallucinated postal-service e-commerce domain as high-risk 23 days before an attacker registered it and deployed a complete phishing kit. Forensic analysis of that kit revealed the attacker had used an AI coding assistant themselves, along with tooling built to scrape legitimate storefronts, implement a PHP backend, and exfiltrate stolen credentials through a Telegram-based command interface.

In a second case, Unit 42 flagged a hallucinated domain resembling a national postal service’s online marketplace a full 51 days before it was registered. The attacker built a pixel-perfect clone of the brand, complete with a fabricated 4.8-star rating and a false claim of over two million users, and used the site to distribute a malicious Android application. Other detected phantom domains impersonated a major UAE bank that had already been under sustained abuse for nearly a year, a European bank, and sports-betting platforms specifically targeting users in Bangladesh, a detail that underscores how squarely South Asian users sit within the blast radius of this technique.

Why This Threat Is Structurally Difficult to Eliminate

What distinguishes phantom squatting from conventional typosquatting, where attackers register domains containing likely misspellings of real websites, is that it exploits a structural property of how large language models generate text rather than any specific coding error, making it inherently difficult to patch away entirely. As AI coding assistants, research agents, and chatbots become more deeply embedded in how developers and ordinary users navigate the internet, the trust placed in a model’s confidently stated output creates exactly the kind of exploitable gap phantom squatting depends on.

The mitigation strategy Unit 42 and other researchers recommend mirrors, in many respects, the discipline organisations already apply to conventional domain squatting: maintaining a comprehensive inventory of digital assets, proactively registering probable domain variations and software package names before they can be claimed by adversaries, and continuously monitoring for new registrations that resemble a brand’s identity. Software developers are advised to source dependencies only from trusted repositories and verify package authenticity rather than trusting whatever a coding assistant suggests.

For organisations, particularly those in finance, government, and healthcare sectors that Unit 42’s research shows are already being targeted, the emergence of phantom squatting adds a genuinely new category of risk to an already crowded threat landscape, one where the vulnerability lies not in a system’s defences but in the confident fluency of the AI tools users have increasingly come to trust by default.

Stay Connected