top of page

When AI Invents a Web Address, Attackers Buy It First

  • 2 days ago
  • 6 min read
AI Web Address Attack

By Yonatan Hoorizadeh — CISSP, CISM, CRISC, AAISM

Published By: Purple Shield Security

Published: July 2, 2026

Last updated: July 2, 2026

AI chatbots routinely make up website addresses that don't exist. Attackers now register those invented domains and host phishing pages on them, catching anyone the AI sends there. Palo Alto Networks' Unit 42 found 13,229 confirmed malicious URLs and about 250,000 unclaimed invented domains inside 2.1 million AI-generated links.

Ask a chatbot for a company's login page and it will confidently give you a link. Most of the time the link is real. Sometimes it isn't. New research from Palo Alto Networks' Unit 42 shows that the ones that aren't real have become a business for criminals, who register the made up addresses before anyone else and wait for the traffic to arrive.


The uncomfortable part for anyone rolling out AI tools at work: the tool doesn't hesitate, and neither does the employee who trusts it.


What is phantom squatting?


Phantom squatting is when attackers register web domains that AI models invent, then host phishing or malware on them to catch users the AI points there. Unit 42 coined the term in research published July 1, 2026. Because a language model can hallucinate a plausible-but-fake address for a real brand, whoever buys that address first inherits the trust the user placed in the AI's answer.


To measure the scale, Unit 42 asked two AI models 685,339 questions about 913 well known brands across technology, finance, healthcare, government, and other sectors. The models produced 2.1 million links. According to Unit 42, threat intelligence already flagged 13,229 of them as outright malicious, meaning the AI was handing out known-bad addresses. Another 250,000 or so of the invented domains had no owner at all, each one available for whoever registers it first.

One detail makes this hard to dismiss as a glitch. The fake domains weren't sitting in the training data. Unit 42 noted the vector "exploits a structural property of LLM architectures that remains inherently unpatchable." In plain terms: the models guess addresses from language patterns, they guess consistently, and different models often invent the same fake domain for the same question. That predictability is exactly what makes an attacker's next target easy to line up in advance.


Why does this matter to your business?


It matters because model output is quietly becoming input your staff act on without checking. An employee asks an AI assistant for a vendor's portal, a finance clerk asks for a bank's login, a developer pastes an AI suggested URL into code. If any of those lands on a registered phantom domain, the credentials go straight to an attacker, with no phishing email and no malicious ad in the chain.


The reason the old defenses don't catch it is reputation. Blocklists, threat feeds, and domain-reputation scores all need a site to misbehave for a while before they flag it. A freshly registered phantom domain has no track record, so those filters have nothing to act on. By the time they catch up, the user has already been sent there by a tool they trust. This is the same reason a virtual Chief Information Security Officer (vCISO) treats AI adoption as a governance problem, not a tooling problem: the control that fails here is human trust, not a firewall rule.


There's a real world cost attached. Unit 42 documented a case it named Montana Empire, where an attacker registered a hallucinated postal marketplace domain 23 days after Unit 42's own system predicted the models would invent it. The phishing kit copied the real storefront in real time and stole card numbers, bank transfer details, and national ID data. Attacker and defender reached the same fake domain the same way: by asking an AI.


How do attackers turn a hallucinated domain into a phishing site?


They watch for which domains a model reliably invents, register one before anyone claims it, and stand up a convincing brand clone on it. Because the models hallucinate the same addresses consistently, attackers can predict targets and buy in early, sometimes weeks ahead of use.


In a second case Unit 42 described, researchers flagged a hallucinated domain a full 51 days before an attacker registered it, wrapped it in a pixel perfect brand clone, added a fake 4.8 star rating and a claim of over two million users, and used it to push a malicious Android app. Other invented domains impersonated a major UAE bank, a European bank, and sports betting sites. The lead time cuts both ways, which is the one piece of good news here: defenders who map the same likely domains can watch for anyone registering them.


Is this the same as slopsquatting?


Phantom squatting is the domain

name version of slopsquatting. Slopsquatting is when attackers register fake software package names that AI coding tools invent, so a developer who installs an AI-suggested dependency pulls in malware. Phantom squatting applies the same idea to website addresses instead of package names.


Slopsquatting is not hypothetical. A large USENIX study found code generating models routinely suggest package names that don't exist, and the PhantomRaven campaign turned that behavior into malware hidden in 126 npm packages with more than 86,000 installs. The common thread across both is a shift every leader should sit with: AI output is becoming input, and people are acting on invented names and links before anyone verifies them.


What should your company do about AI-suggested links?


Treat anything a model produces as an unverified draft, not an authority, and put a verification step between AI output and any action that touches credentials, payments, or code. The fix here is mostly governance and habit, not a new product, which is why it tends to fall through the cracks at companies that think of AI risk as somebody else's job.


A few things worth putting in place this quarter. First, tell staff plainly that a link is not trustworthy just because an AI gave it, and that official domains get confirmed before anyone types a password. Second, constrain AI agents so they can't automatically open or download from model-generated links without a human check, since an agent has no instinct to hesitate the way a person might. Third, decide who actually owns AI risk internally before an incident forces the question.

That last point is where most mid-market companies stall. There's rarely a named owner for "what our AI tools are allowed to do," and the gap doesn't show up until something goes wrong. This is the practical case for vCISO services and fractional CISO services: a company that can't justify a full-time security executive still needs someone accountable for AI governance, verification policy, and the boring controls that keep invented links from turning into breaches. Purple Shield Security works with small and mid-market teams to put exactly that ownership in place.


Frequently asked questions


Does this affect us if we don't build software?

Yes. You don't need developers to be exposed. Any employee who asks a chatbot for a vendor portal, a bank login, or a support page can be handed a phantom domain. The credential-theft risk applies to finance, HR, and operations staff using consumer AI assistants, not just engineering teams.


Can we just block AI tools to avoid this?

Blocking rarely works and usually pushes usage into the shadows. Staff will use personal accounts and phones instead, which removes your visibility entirely. A verification policy plus clear ownership of AI risk is more durable than a ban, and it's the approach a fractional CISO would typically recommend for a mid-market team.


How is this different from normal phishing?

Traditional phishing needs a lure: an email, a text, a malicious ad. Phantom squatting removes that step. The user goes looking for the site themselves and the AI sends them to the attacker's domain. There's no suspicious message to spot, which is why user-awareness training built around "don't click strange links" doesn't fully cover it.


Who owns this risk internally?

Ideally one named person or role: a CISO, a vCISO, or a designated owner of AI governance. The failure mode Unit 42's research exposes is a company where AI tools are everywhere and nobody owns the rules for trusting their output. If you can't name that owner today, that gap is the first thing to close.

AI tools are now part of how your staff find information, and attackers are already exploiting the addresses those tools invent. If you're not sure who owns AI governance at your company, or whether your team would pause before trusting an AI-supplied link, that's worth a conversation. Purple Shield Security provides vendor-neutral vCISO services and fractional CISO services to help small and mid-market businesses put that accountability in place before an incident does it for them.

 
 
bottom of page