unit42.paloaltonetworks.com 7/1/2026, 1:31:01 AM · external

AI hallucinated domains fuel phantom squatting threats

AI hallucinated domains fuel phantom squatting threats
CyberSIXT Evidence Panel Source marked as original reporting

THE article discusses a threat identified by Unit 42 researchers called "phantom squatting," where large language models (LLMs) generate nonexistent web domains that adversaries then register to exploit. Key findings include:

1. **Phantom Squatting**: LLMs frequently hallucinate domains for legitimate companies. Attackers weaponize these by registering such domains to intercept traffic from AI systems.

2. **Real-World Impact**: Proactive monitoring revealed over 250,000 potentially exploitable hallucinated domains, with researchers detecting incidents as much as 51 days before adversary registrations.

3. **Threat Model**: The phantom squatting lifecycle includes stages like discover, act, lure, and bypass, effectively circumventing existing supply chain defenses designed for known malicious domains.

4. **Detection Techniques**: The research utilized a discovery pipeline to simulate adversarial probing and analyze LLM output. It flagged over 13,000 malicious URLs out of 2.1 million generated by the models.

5. **Defensive Measures**: The article highlights several Palo Alto Networks products aimed at countering these threats, including Advanced URL Filtering and the Unit 42 AI Security Assessment.

6. **Conclusion**: Organizations are urged to adapt proactive discovery measures to mitigate the risks posed by phantoms squatting before adversarial exploitation occurs.

View full article

Article by CyberSIXT