Ask an AI assistant for a company's website and it will answer with total confidence — even when the domain it gives you doesn't exist, or worse, has just been registered by someone else. This isn't a rare glitch. Security researchers at Unit 42 (Palo Alto Networks) just published research showing it's a systematic, exploitable pattern — and attackers are already running the playbook, as reported by The Hacker News.
The researchers call it phantom squatting: registering the fictitious domains that large language models consistently invent, then weaponizing them before anyone notices. It's the domain-name cousin of "slopsquatting" (Wikipedia) — the already-documented practice of registering fake software package names AI coding tools hallucinate (one campaign, PhantomRaven, hid malware in 126 npm packages with over 86,000 installs (Koi Security)).
Why this works
A language model doesn't look anything up when it answers you — it predicts the most statistically plausible continuation of text. When you ask for a company's domain, or an AI coding agent needs to fetch a resource, the model produces something that sounds right. Most of the time that means a domain nobody registered, because it was never real. The danger is what happens next: increasingly, both people and autonomous AI agents treat the link a model hands back as trustworthy, without an independent check. Unit 42 calls this the zero-reputation bypass — a freshly registered domain has no blocklist history, so traditional threat detection has nothing to flag.
How attackers pick their targets
This isn't random opportunism — Unit 42 documented a repeatable four-phase process:
- Discovery. Attackers systematically prompt LLMs about a target brand to map its full "hallucination surface" — every fake domain the model tends to invent for it.
- Selection. Not every hallucinated domain is worth registering. Attackers rank candidates by two signals: how consistently a model keeps generating the same fake domain across different settings (what the researchers term Thermal Hallucination Persistence), and whether multiple different AI models independently invent the same fake name for the same brand. High scores on both mean a domain is statistically likely to get handed to a real victim.
- Registration. Once a target is picked, they buy it. Unit 42 measured an 18–51 day window between detecting a hallucination and an attacker actually registering the domain — a real, measurable head start for defenders who are watching.
- Weaponization. Once live, the domain gets dressed up as the real brand — sometimes pixel-perfect, with real-time storefront cloning — and used for credential phishing, malware distribution, or as a trap for AI agents that fetch URLs without verifying them first.
Real cases from the research
The clearest example, dubbed "Montana Empire," involved a hallucinated postal-service domain. Attackers registered it 23 days after researchers first detected the hallucination, then deployed a full brand clone — a real-time-scraped storefront, credential and card-number capture, and Telegram-based command infrastructure. Notably, the phishing kit itself was reportedly built with an AI coding assistant. A second, similar postal-service domain was weaponized 51 days after detection, this time to push malicious Android apps through a pixel-accurate clone.
The takeaway for anyone using AI to find a domain
This research is about brand impersonation, but the root cause — AI cannot be trusted to tell you whether a domain is real or available — is exactly what Domain Search King's own Hallucination Index found when we tested it directly: across every major model, up to 94% of domains an AI called "available" were already taken. The inverse problem — AI inventing domains that sound legitimate — is the same failure mode pointed in a different direction.
Either way, the fix is the same: never trust an AI's claim about a domain — verify it live, against the actual registry, before you act on it. That's true whether you're checking a domain to register for your own business, or checking whether a link an AI just handed you actually belongs to who it claims to.
What Domain Search King already does about this: every name our AI generator suggests is checked live via RDAP against the real registry before it's ever shown to you — that's the whole product. We built a free standalone tool so you can run that same live check on any domain an AI gave you, from any source.
Got a domain from an AI? Don't trust it — check it.
Paste any AI-suggested domain and we'll check it live against the registry in seconds — free, no signup.
Verify a domain now → See the Hallucination Index data →Registering something real instead? Here's what to do when your name is taken.
FAQ
What is phantom squatting?
Phantom squatting is when attackers register domain names that large language models consistently hallucinate for a brand, then weaponize those domains for phishing or malware — exploiting the fact that people and AI agents trust links a model hands them without checking the registry.
How do attackers know which hallucinated domains to register?
They prioritize domains an LLM generates repeatedly across different settings, and domains that multiple different AI models independently invent for the same brand — the more consistently a domain gets hallucinated, the more likely it is a real person or AI agent will eventually be handed it.
How can I check if a domain an AI gave me is real?
Don't trust the AI's answer — run a live registry check. Domain Search King's free verifier checks any domain against the authoritative registry in real time and tells you immediately whether it's actually registered or available.
