Palo Alto Networks Unit 42 published research documenting phantom squatting, a new attack technique where threat actors identify domains that large language models frequently hallucinate when generating URLs for legitimate services, then register those fabricated addresses to host phishing kits and malware delivery infrastructure. Unit 42 confirmed 13,229 hallucinated domains are currently hosting malicious content, and identified approximately 250,000 more hallucinated domains that remain unregistered and available for attacker preemption.
How Phantom Squatting Exploits AI Model Hallucinations to Create Attack Infrastructure
Phantom squatting exploits a well-documented property of large language models: when asked to provide a URL for a company, service, or tool, AI assistants sometimes generate plausible-sounding but entirely fabricated addresses. These hallucinated URLs share the structural characteristics of real URLs — they follow naming conventions for the industry, use common domain extensions, and combine words in ways consistent with the brand — but they point to addresses that were never registered or operated by the legitimate organization.
Attackers in the phantom squatting technique approach this systematically. They probe popular AI models with questions likely to produce URL responses, catalog the hallucinated domains the models output, and register those domains before victims have a chance to follow AI-generated links. Once registered, the domains host phishing infrastructure, malware downloaders, or credential harvesting pages designed to trap users who followed an AI assistant’s fabricated recommendation.
The Montana Empire Phishing Kit: First Confirmed AI-Hallucination-Assisted Attack on Victims
Unit 42 documented a specific confirmed case that illustrates the full phantom squatting attack chain. An attacker registered a hallucinated postal service domain — an address that AI models generated when asked about postal service tracking or shipping resources — and deployed a phishing kit called “Montana Empire” on the registered domain. Montana Empire cloned the legitimate postal service’s storefront in real time, presenting victims with a functional-looking interface that stole credit card numbers, bank transfer details, and national ID data.
The attacker was found to have constructed the Montana Empire phishing kit using an AI coding assistant, making this the first confirmed case where AI hallucination generated the victim delivery URL and AI assistance generated the phishing infrastructure that received victims at that URL. Both the lure and the trap were built using AI tools, from end to end.
13,229 Active Malicious Phantom Squatting Domains and 250,000 Still Unregistered
Unit 42’s research confirmed that 13,229 hallucinated domains currently host malicious content. Of those active malicious domains, 67.2% are delivering malware, 16.2% are conducting phishing, and the remainder are engaged in other forms of abuse. The distribution toward malware delivery over phishing suggests that phantom squatting is not limited to credential theft — it is also being used to deliver software payloads to users who trust AI-generated download links.
The more consequential figure for defenders is the 250,000 additional hallucinated domains that remain unregistered. Unit 42 characterizes this pool as representing a significant opportunity for adversaries, as each of those 250,000 addresses could be registered by an attacker at low cost and quickly weaponized as a delivery endpoint for users who ask an AI assistant for the relevant URL. The unregistered pool dwarfs the already-active malicious pool by a factor of roughly 19, representing the attack technique’s potential scale rather than its current footprint.
Why AI-Recommended Links Bypass Traditional Phishing Skepticism
Standard phishing awareness training instructs users to be suspicious of unexpected links, to check URLs before clicking, and to be wary of communications that create urgency or pressure. Phantom squatting bypasses all of these learned behaviors because the link originates from the user’s own AI assistant in response to a question the user initiated.
A user who asks an AI tool for the URL of a vendor portal, software download, or government service, and receives a specific URL in response, is unlikely to apply the same skepticism they would to an unsolicited link in an email. The AI tool they trust provided the address; from the user’s perspective, the recommendation is the result of information retrieval, not a potential attack vector. Unit 42 identifies this trust differential as the core of why phantom squatting scales effectively: the AI-assisted workflow becomes the delivery mechanism, and the user’s confidence in AI recommendations is the vulnerability being exploited.
What Organizations and Developers Should Watch for in AI-Assisted Workflows
Unit 42 emphasizes that phantom squatting poses a particular risk in enterprise contexts where AI assistants are integrated into developer, IT, and business workflows. Developers using AI coding assistants to look up package names, API endpoints, or documentation URLs are exposed to the same hallucination-to-registration chain as consumers asking AI chatbots for website addresses. Each context in which an AI model generates a domain name or URL that the user then acts on is a potential phantom squatting delivery point.
Organizations deploying AI tools in workflows where employees follow AI-generated URLs should consider URL validation steps before acting on AI-generated addresses — specifically, verifying that the domain is actually registered to and operated by the expected organization before clicking or downloading. The 250,000 unregistered hallucinated domain pool means the attack surface for phantom squatting will expand as more attackers adopt the technique.
