AI Hallucinates a Domain for Your Brand. An Attacker Registers It Before You Do. We Already Measure the First Half — Which Is the Whole Point.
- Patrick Duggan
- 20 minutes ago
- 5 min read
# AI Hallucinates a Domain for Your Brand. An Attacker Registers It Before You Do. We Already Measure the First Half — Which Is the Whole Point.
Here is an attack that could only exist in 2026. A large language model, asked about your company, confidently invents a web address for you that does not exist — a plausible, brand-shaped domain it simply made up. A user, or increasingly an AI agent acting on the user's behalf, trusts the answer and goes there. And waiting at that made-up address is an attacker who registered it first, standing up a phishing page or a malware dropper on infrastructure the AI itself conjured into relevance. Palo Alto's Unit 42 has a name for this — Phantom Squatting — and numbers that should stop you: probing two LLM families, they generated roughly 250,000 unique hallucinated domains across 913 global brands, a registerable attack surface most of those brands have no idea exists. This one lands directly in our lane, because measuring exactly which domains AI hallucinates about a brand is a thing we already do. The defense begins with the enumeration, and the enumeration is the product.
What Phantom Squatting is
The mechanism is almost elegant, in the way the worst attacks are. Language models do not retrieve facts; they predict plausible text. Ask one for the website of a company, a product, a support portal, and it will sometimes produce a URL that looks exactly right — the correct brand, a sensible structure, a believable top-level domain — and is entirely fabricated. The model is not lying so much as pattern-completing. To the human or agent reading the answer, a hallucinated domain is indistinguishable from a real one until they visit it.
An attacker's move is to get there first. If you can predict which domains a model tends to hallucinate for popular brands — and it turns out you very much can, because the hallucinations are not random, they cluster around plausible patterns — you register them, cheaply, in bulk, before anyone notices they are unclaimed. Then you wait for the model to send you traffic. Unit 42 made the scale concrete: they ran 685,339 adversarial prompts against 913 brands and produced around a quarter of a million unique phantom domains, inside a corpus of 2.1 million URLs, finding both a huge field of unclaimed registerable names and domains already turned malicious. On March 31, 2026, one such registered hallucination — a domain for a brand the models had invented an address for — was running a phishing kit that mirrored the real storefront in real time and harvested card numbers, bank-transfer details, and national ID data.
The package version is already a body count
If domains are the consumer-facing half, software packages are the developer-facing half, and that half has already drawn blood. AI coding assistants hallucinate package names the same way chat models hallucinate domains — they suggest an import that sounds real and does not exist. Attackers register the invented name. The developer, or their AI agent, installs it. The industry calls this slopsquatting, and it is not theoretical: a large academic study found code-generating models routinely suggest nonexistent package names, and the PhantomRaven campaign turned exactly that behavior into malware hidden in 126 npm packages that were installed more than 86,000 times. The hallucination is the distribution channel. The model does the attacker's marketing for free.
Why this is our fight specifically
We are going to say the part that is easy to miss, because it is the reason we are writing this and not just relaying it. The attack has two halves — the AI hallucinating a plausible fake, and the attacker registering it — and we operate on both halves already.
The first half is AI Presence Management. AIPM exists to measure how AI models perceive and describe a brand, and hallucination is the failure mode it was built to catch. We have watched models invent things about our own company in the open — a model has confidently associated our name with a teachers' federation, a metal-stamping manufacturer, a physical security-guard firm, none of them us. That is the exact same generative behavior that produces a phantom domain; the only difference is whether the hallucination is a wrong description or a wrong URL. If you can systematically enumerate what AI hallucinates about your brand — the wrong facts and the fabricated addresses alike — you have produced the attacker's target list before the attacker does. That enumeration is not a nice-to-have. It is the first move of the defense.
The second half is threat intelligence. Once a phantom domain is registered and stood up, it is a malicious domain like any other, and catching newly-registered brand-adjacent domains hosting phishing kits is what a threat feed is for. The two capabilities close a loop: AIPM tells you which fabricated domains an attacker is most likely to squat, and the feed tells you the moment one of them goes live and hostile. Most organizations have neither half. Sitting on both is not a coincidence for us; it is the shape of the thing we built.
What to actually do
Enumerate your own phantom surface. Ask the major models, across settings, for your company's URLs, portals, download pages, and support sites, and write down every plausible domain they invent that you do not own. That list is your exposure. The high-value fabrications — the ones that look most like a real login or storefront — are worth registering defensively yourself, the same way careful brands already register the obvious typosquats. You cannot register 250,000 domains, but you can register the dangerous dozen the models keep inventing.
Monitor for registration of the rest. You do not have to own every phantom domain to defend against it; you have to know the instant one gets claimed and pointed at a phishing kit. Newly-registered domains that echo your brand, especially ones the models actively hallucinate, belong on a watch list and, once confirmed malicious, in your block feed and your takedown queue.
And on the developer side, treat AI-suggested dependencies as untrusted until verified. If a coding assistant recommends a package, confirm it actually exists, is the maintainer you expect, and has a history — do not let an agent install a hallucinated import into a build. Pin dependencies, use a private registry mirror where you can, and never let "the AI suggested it" stand in for "we checked it."
Why we are naming this now
Phantom Squatting is early — the Unit 42 work maps a vast attack surface and documents real malicious use, but this is the opening phase of the technique, not its peak. That is exactly when it is worth acting, because the field of unclaimed hallucinated domains is enormous and mostly unregistered right now, which means the defensive registration and monitoring that will be table stakes in a year is cheap and available today. We will cap it at ninety-five percent as always — hallucination patterns shift as models change, and no enumeration is complete. But the structure is clear, and it is a structure we are unusually positioned to defend, because we already measure the hallucination and already catch the domain. The AI made up an address for your brand. Someone is going to own it. It should be you, or at least it should be on your watch list before it is on a victim's browser.
Her name was Renee Nicole Good.
His name was Alex Jeffery Pretti.
