Phantom Squatting: Hackers Turn AI Hallucinations Into a Free Phishing Buffet

Large language models love to hallucinate. We’ve all seen it — ChatGPT or Claude confidently spitting out a perfectly formatted but completely fake URL for some corporate portal, API endpoint, or support page.

Enter the attackers.
Cybercriminals figured out they could treat LLMs as an oracle for free domain ideas.
They flood models with thousands of prompts about popular brands (“payment gateway for [brand]”, “admin dashboard for [brand] support”, “sandbox API for [brand] integration”, etc.), collect the hallucinated URLs, and register the most commonly invented domains before anyone else does.
Once registered, these “phantom” domains become perfect landing spots for phishing pages, malware droppers, credential harvesters, or command-and-control infrastructure.
Because the domains have zero history, they often fly under traditional threat-intelligence radars — at least until malicious activity starts generating signals.
The Research That Exposed the Scheme

The result? 2.1 million unique URLs generated.
Of those:
- 13,229 (about 0.61%) were already known malicious links.
- Roughly 809,455 were “non-existent domains” (NXDs) — completely made-up by the models.
- Normalized down to parent domains, this yielded approximately 250,000 unique hallucinated phantom domains that were still unregistered at the time of the study.
That’s a quarter of a million ready-made, high-quality targets for future attacks — essentially a free all-you-can-eat buffet for anyone willing to register them.
Not Random — Predictably Hallucinated

- Path-level (most common, ~50%): Something like `https://sandbox.[brand].com/payment/api/v1/pay`
- Subdomain-level (~40%): `https://admin.[brand].com` or `https://portal.[brand].com`
- Pure domain-level (~11%): Entirely invented domains like `[brand]post-app.com` or `[brand]benefitsportal.com`
Higher “creativity” settings (higher temperature) produced more hallucinations. Different models had slightly different biases — one leaned toward path hallucinations, the other toward subdomains — but the overlap was significant enough for attackers to exploit.
Researchers even observed a real-world “Adversarial Exploitation Window”: some phantom domains were registered by malicious actors 18 to 51 days after the LLMs started hallucinating them in the wild.
How the Attack Actually Works
- Discovery — Attackers (or even AI-assisted tools) probe LLMs with brand-specific prompts.
- Registration — They grab the most frequently hallucinated domains cheaply and quickly.
- Weaponization — They set up phishing kits, fake login pages, malware delivery sites, or redirect chains.
- Delivery — When an LLM (or a user trusting an LLM-generated link) recommends or uses one of these URLs, traffic flows straight to the attacker-controlled site.
This bypasses many traditional defenses because the domains have no prior reputation. Attackers have already been caught using AI-generated phishing kits on these kinds of domains.
Why This Matters Now

The good news? Because the hallucinations are predictable, defenders can get ahead of them. Unit 42’s work shows it’s possible to build proactive watchlists of likely phantom domains and monitor registration events in near real-time.
Also read:
- Hunting Your Own Ghost: YouTube Expands Deepfake Search Features to Everyday Users
- Disintermediating the Influencer Market: Inside X’s Launch of Creator Connect
- Let AI Write 80% of Its Own Instructions: How to Manage Agents Without Micromanaging
- Microsoft Is Pulling Claude Code from Its Core Product Teams and Forcing a Switch to GitHub Copilot CLI
Bottom Line
Phantom squatting is elegant in its simplicity: let the AI do the creative work of inventing plausible-sounding domains, then squat on them before the brands or defenders notice. It turns one of AI’s most famous weaknesses into a scalable, low-cost attack vector.
With ~250,000 high-quality hallucinated domains already identified in this single study — and many more being generated daily across public and enterprise models — the race is on between attackers racing to register them and security teams trying to predict and block them.
The buffet is open. The question is who gets there first.
Subscribe to our newsletter
Get the latest Web3, AI, and crypto news delivered straight to your inbox.