PROBABLYPWNED
Threat IntelligenceJuly 2, 20264 min read

Phantom Squatting: Attackers Weaponize AI-Invented URLs

Unit 42 finds attackers registering domains that LLMs hallucinate, then hosting phishing kits to intercept AI-directed traffic. Montana Empire kit caught 23 days after prediction.

Alex Kowalski

Large language models have a hallucination problem that extends beyond wrong answers. They consistently invent URLs that don't exist—and attackers are now racing to register those fabricated domains before anyone notices, turning AI mistakes into phishing infrastructure.

Palo Alto Networks' Unit 42 published research this week documenting what they call "phantom squatting," a supply chain attack where adversaries weaponize the gap between AI-generated recommendations and reality. When a model suggests a plausible-sounding but nonexistent website, whoever registers it first inherits all the misplaced trust users have in AI-generated advice.

How the Attack Works

The premise is deceptively simple. AI assistants regularly generate URLs that look legitimate—they follow naming conventions, reference real brands, and appear authoritative. But many don't exist. Users clicking those links find nothing. Attackers registering those domains find victims.

Unit 42 tested this systematically, querying two different LLMs with 685,339 questions about 913 well-known brands. The models produced 2.1 million links. Of those, 13,229 were already flagged as malicious. But roughly 250,000 invented domains remained unregistered—prime targets for attackers with $12 and a domain registrar account.

The attack bypasses traditional defenses. Newly registered domains lack reputation history. Blocklists and threat feeds only flag sites after they demonstrate malicious behavior, giving attackers a clean window before detection catches up. This mirrors the lookalike domain tactics used in traditional phishing campaigns, but with AI doing the initial targeting work for free.

Montana Empire: From Prediction to Phishing Kit in 23 Days

Unit 42's monitoring caught the theory becoming reality. On March 8, their systems predicted that AI models would likely hallucinate a specific domain mimicking a national postal service marketplace. They flagged it as high-risk and watched.

On March 31, an attacker registered that exact domain and deployed a phishing kit called Montana Empire. The kit replicated the legitimate storefront pixel-for-pixel, stealing payment card numbers, bank details, and national ID data from victims who trusted AI-generated recommendations.

The forensics revealed something notable: leftover project files and session logs showed the criminal had built the phishing kit using an AI coding assistant. AI on both ends—generating the fake URL, then building the trap waiting there.

In another case, Unit 42 flagged a hallucinated postal-service domain 51 days before registration. The attacker created a clone complete with fake 4.8-star ratings and claims of "2+ million users" to distribute malicious Android applications.

Why Models Hallucinate Consistently

The research found that models don't hallucinate randomly. Given the same prompt, they tend to invent the same plausible-looking domains repeatedly. This consistency is what makes phantom squatting viable—attackers can predict which fake URLs an AI will suggest and pre-register them.

This predictability also creates defensive opportunity. Organizations can map which domains models are likely to hallucinate for their brand and preemptively register or monitor them. Unit 42's system detected the Montana Empire domain as high-risk 23 days before the attacker moved, demonstrating that defenders can get ahead of this threat.

The broader implications extend beyond phishing. AI-assisted coding tools suggesting nonexistent packages (a related supply chain risk we've covered in npm and PyPI contexts) follow similar patterns. The common thread: AI confidently pointing users toward resources that attackers can create and control.

Detection and Defense

Organizations facing this risk should consider several approaches:

  1. Proactive registration - Identify and register domains that models commonly hallucinate for your brand before attackers do
  2. DNS monitoring - Watch for registrations of domains similar to what LLMs might invent
  3. User education - Train employees to verify AI-suggested URLs independently before clicking
  4. AI guardrails - Implement validation layers that check whether AI-recommended URLs actually exist and have legitimate history

The window between AI hallucination and attacker registration measured in weeks during Unit 42's research. That's enough time for defenders who are watching—but requires treating AI output as untrusted input rather than authoritative recommendation.

Why This Matters

Phantom squatting represents a new category of AI-enabled attack that exploits the growing trust users place in LLM recommendations. Unlike traditional typosquatting—which depends on users making typing errors—this technique weaponizes the AI itself.

As organizations deploy AI assistants for customer service, internal research, and coding assistance, the attack surface grows. Each AI-generated URL that doesn't get verified is a potential entry point. The fix isn't to stop using AI; it's to treat its outputs with appropriate skepticism and build verification into workflows.

Unit 42's research suggests the attacks are still emerging. The Montana Empire case shows criminals are learning the technique. The 51-day warning window shows defenders can stay ahead—if they're looking.

Related Articles