Security

Attackers Register AI-Hallucinated Domains to Launch Phishing

Criminals are buying fake web addresses that language models invent, then using them to catch traffic that AI tools redirect their way.

Omega Editorial· July 1, 2026· 3 min read

Attackers have found a new way to exploit artificial intelligence: they register the fake web addresses that large language models hallucinate, then host phishing pages on those domains to intercept traffic that AI tools send their way.

Researchers at Palo Alto Networks' Unit 42 call this technique phantom squatting, and their latest research confirms it is already being used in active attacks.

How the attack works

The vulnerability stems from a fundamental behavior of language models. When asked questions about brands or services, AI systems sometimes generate plausible-sounding URLs that do not actually exist. Because these invented domains have no owner, whoever registers them first inherits all the trust that users and AI assistants place in model-generated output.

To measure the scope of the problem, Unit 42 posed 685,339 questions about 913 well-known brands to two AI models. The systems produced 2.1 million links in response. Of those, threat intelligence had already flagged 13,229 as known malicious sites. More significantly, roughly 250,000 of the hallucinated domains had no registered owner, making each one a ready target for attackers.

The invented addresses do not come from training data. Both models in the study shipped before the real malicious sites existed, meaning the fake domains emerge from the models' own language patterns. Those patterns are consistent across different systems: multiple models often hallucinate the same fake domain for identical queries, making an attacker's next target predictable.

Real-world cases

Unit 42 documented two complete attack cycles. On March 8, 2026, their system predicted that AI models would invent a domain resembling a national postal service's online marketplace. Twenty-three days later, an attacker registered that exact domain and deployed a phishing kit called Montana Empire. The kit cloned the real storefront in real time and harvested payment card numbers, bank-transfer details, and national identification data.

In a second case, researchers flagged a hallucinated postal-service domain 51 days before an attacker registered it. The criminal then built a pixel-perfect brand clone and used it to distribute a malicious Android application.

Other detected domains impersonated a major UAE bank, a European financial institution, and sports-betting sites targeting users in Bangladesh.

Why it matters

Phantom squatting exploits a structural weakness in how AI systems generate text. Developers and automated agents increasingly treat model output as verified information, acting on AI-generated links before anyone confirms they are legitimate. Freshly registered domains have no reputation history, so security filters have nothing to flag until the site has already been used in attacks. Unit 42 describes the vulnerability as "inherently unpatchable" because it stems from core properties of language model architectures.

Defense strategies

Because models hallucinate consistently, security teams can predict which fake domains are likely to appear and monitor domain registrations for those patterns, often with weeks of advance warning. For individual users and organizations, the guidance is straightforward: never trust a link simply because an AI provided it. Verify that domains match official addresses before entering credentials or incorporating URLs into code. Configure AI agents to require human approval before opening or downloading from model-generated links.

The window for defensive action is open, but it rewards whoever moves first. These findings were first reported by Palo Alto Networks' Unit 42.

#ai security#phishing#llm vulnerabilities#domain squatting#threat intelligence#phantom squatting

This is an original analysis by the Omega editorial team. Source reporting: AI Watch.

Want systems like this working for your business?

Book a Call

More in Security

Security· 3 min read

The Agentic AI Lethal Trifecta: New Security Risks for CISOs

Three converging properties of AI agents create unprecedented enterprise vulnerabilities that traditional security tools cannot address.

Via AI Watch · Jul 1, 2026
Security· 3 min read

CrowdStrike and Palo Alto surge on Mythos AI threat response

Cybersecurity leaders posted record quarterly gains as companies rushed to defend against powerful AI models capable of automated attacks.

Via AI Watch · Jul 1, 2026
Security· 3 min read

Chinese Cyber Espionage Targets U.S. AI Startups Through Insiders

Attacks have evolved beyond network intrusions to exploit human vulnerabilities, with small firms lacking resources to defend themselves.

Via AI Watch · Jul 1, 2026