Attackers exploit a vulnerability in large language model outputs by purchasing domains that AI systems hallucinate and then recommend to users. Palo Alto Networks' Unit 42 identified this tactic, called "phantom squatting," already operating in active campaigns.

LLMs frequently generate plausible-sounding but nonexistent domain names when answering user queries. Users trust these recommendations and attempt to visit the fabricated addresses. Attackers register these domains before legitimate owners can claim them, then host phishing pages and malware on the sites. When users follow AI-generated links, they land on attacker-controlled infrastructure instead of legitimate services.

The attack vector exploits two weaknesses simultaneously. First, LLMs lack real-time internet access and hallucinate URLs to fill knowledge gaps. Second, domain registration systems have no mechanism to prevent registration of AI-generated addresses. Attackers monitor LLM outputs, identify frequently hallucinated domains, and claim them opportunistically.

Unit 42 documented active phantom squatting campaigns hosting credential theft pages and malware droppers. The domains appear legitimate enough to bypass user skepticism, particularly when presented as recommendations from seemingly authoritative AI assistants. Organizations relying on LLM-generated content recommendations face elevated risk of directing employees or customers to attacker infrastructure.

This attack pattern creates a new class of threat that traditional domain reputation systems struggle to detect. The domains appear fresh and legitimate initially, with low historical data available for security analysis. Users encountering these sites through AI recommendations experience elevated trust, making social engineering more effective.

Organizations should implement several controls. Verify AI-generated domains through independent sources before visiting them. Educate users about LLM hallucination risks. Deploy email filters and web gateways that flag recently registered domains, particularly those matching common hallucination patterns. Security teams should monitor for domains matching frequently generated LLM