Unit 42 researchers documented a novel attack vector on June 30, 2026: adversaries proactively register web domains hallucinated by AI large language models to intercept traffic generated by AI systems embedded in development workflows. The phenomenon, dubbed phantom squatting, turns the predictability of LLM hallucinations into a structural attack surface that traditional reputation-based defenses do not detect.
- Unit 42 analyzed 913 global brands across 685,339 LLM queries, generating 2.1 million URLs: over 13,229 confirmed malicious URLs, and approximately 250,000 hallucinated domains remain unregistered and available to adversaries.
- The monitoring system predicted adversarial registrations 18–51 days in advance; in the Montana Empire case, the target domain was flagged as high-risk 23 days before the campaign.
- Phantom domains bypass reputation-based defenses because they are born without history: they are generated from the LLM’s internal vocabulary, not from previously compromised infrastructure.
- The LLM serves as the attack delivery mechanism: delivery is the trusted AI assistant already integrated into the user’s workflow, requiring no traditional phishing.
How LLMs Generate Domains No One Has Ever Registered
Large language models, prompted to produce code, documentation, or informational answers, systematically hallucinate web domains for legitimate brands. This is not an occasional flaw: Unit 42 built a dataset of 685,339 queries run on two configurations of two distinct LLMs, yielding 2.1 million URLs. Roughly 30% pointed to non-existent domains—linguistically plausible but never registered.
The mechanism is rooted in the nature of transformers. Models predict sequential tokens based on statistical patterns in their training corpus. When a user asks for the official URL of a service or a software dependency, the LLM reconstructs a plausible form: it swaps suffixes, inverts compound words, invents subdomains that sound institutional. The output is syntactically coherent, ontologically wrong.
Unit 42’s research sampled 913 global brands across diverse sectors. Hallucination patterns are not random: correlations emerge between brand name structure and error type, with a preference for variants that mimic CDNs, documentation portals, and software package repositories. Adversaries monitoring these patterns can predict months in advance which domains an LLM will generate for a given brand.
The Attack Cycle: From Prediction to Weaponization in Hours
Phantom squatting extends the adversarial logic of typosquatting and brandjacking into a domain invisible to defensive infrastructure. The adversary no longer needs to guess human typos; they exploit the mechanical predictability of an AI system to register domains the AI itself will produce in the future.
Unit 42 documented that domains transition from registration to active malicious content in hours. Speed is functional to invisibility: the domain exists for an interval too short to populate threat feeds, too clean to trigger heuristic alerts based on historical reputation. When a user or an autonomous AI agent executes the HTTP request to the phantom domain, they treat it as authoritative because it was generated by the same AI they trust.
The Montana Empire case illustrates the full cycle. A phishing kit was built with the assistance of an AI coding assistant; the target domain had been identified by Unit 42’s system as high-risk 23 days before the actual campaign execution. The source does not specify the exact domain registration date nor the attacker’s identity. No infrastructure overlaps link the operator to known threat actors at this time.
"Phantom squatting extends this adversarial logic from software packages to web infrastructure" — Unit 42 researchers
Why Reputation-Based Defenses Fail
Enterprise security architectures rely heavily on reputation signals: how long a domain has existed, how many users access it, whether it has been flagged before. The phantom domain neutralizes every signal. It is original by definition: born from the LLM’s internal vocabulary, not from previously compromised infrastructure. It has no history because it never existed before the hallucination that created it.
As Unit 42 researchers observe, "the fake domain is born clean because it comes from the LLM's own internal vocabulary." This changes the geometry of risk. The corporate URL filter, DNS filtering, threat intelligence feeds: all look backward, at domains already seen. Phantom squatting looks forward, at domains that will exist only after an LLM invents them.
The result is a structural asymmetry favoring the attacker. Defenses need time to accumulate signals; the adversary, knowing in advance which domains will be hallucinated, compresses that window to zero. The brief does not document false-positive rates in Unit 42’s predictive system nor which specific LLMs were tested beyond the "two distinct LLM models" mentioned.
Why This Matters
The dossier does not specify concrete mitigations organizations can adopt against phantom squatting. The source does not document whether technical controls exist to intercept a domain before an LLM hallucinates it, nor whether security vendors are developing dedicated signatures for this vector.
The brief does not list specific sectors among the "multiple sectors" where adversarial registrations were detected, making it impossible to profile geographic or sectoral risk distribution. No economic or data-loss impact is documented for the Montana Empire case or other identified campaigns.
The dossier also does not specify whether other security vendors have independently detected the phenomenon. This lack of external corroboration is a substantial limitation: phantom squatting, in its current formulation, remains a concept defined and documented by a single primary source.
What the brief documents clearly is the structural risk. Enterprises integrating LLMs into CI/CD, documentation, and development workflows expose the supply chain to a vector that did not exist in previous threat models. Every query to a coding assistant potentially generates an endpoint no traditional defense can evaluate before it exists.
Unit 42’s research establishes this "is no longer a theoretical risk." The 13,229 confirmed malicious URLs and ~250,000 unregistered hallucinated domains quantify a concrete, measurable, expanding attack surface. The predictive system, with its 18–51 day window, offers a lead-time metric no other current supply-chain vector can replicate with comparable precision.
Frequently Asked Questions
What is a "hallucinated" domain in this context?
A hallucinated domain is a website name generated by an LLM that sounds plausible and institutional but corresponds to no actually registered domain. Unlike a typo created by human error, the hallucination follows linguistic patterns internal to the model: it is predictable and systematically replicable.
Why do phantom domains bypass traditional security filters?
Because reputation-based defenses require history and accumulated signals over time. A newly registered domain, generated by an LLM and weaponized in hours, has neither history nor signals. It is semantically coherent with the user’s expected output, so the user perceives it as authoritative.
Does the Montana Empire case prove the attack is already underway?
Unit 42 documents that a phishing kit was built with AI assistance and the target domain was predicted 23 days prior. The source states "this vector is currently active in the real world" but does not quantify damage or the specific campaign’s spread.
Information is based on the cited advisory and current as of publication.
Sources
Information is based on the cited source and current as of publication.