The phantom squatting attack lifecycle across four phases | Image: Unit 42
| At a glance | Details |
|---|---|
| Activity type | Phantom squatting: registering AI hallucinated domains for phishing and malware |
| Actors | Multiple suspected threat actors, including the “Montana Empire” phishing kit operator |
| Targets | Customers of postal services, banks, and betting platforms across 913 monitored brands |
| Scale | 13,229 confirmed malicious URLs; roughly 250,000 unregistered phantom domains |
| Law-enforcement status | Active in the wild; no arrests or charges announced |
| Source | Palo Alto Networks Unit 42 |
TL;DR
Palo Alto Networks Unit 42 has confirmed that criminals are actively weaponizing phantom squatting. The technique turns AI chatbot mistakes into live attack infrastructure. Attackers register the fake web addresses that large language models invent for real brands. Then they simply wait, because trusted AI assistants keep steering victims toward those AI hallucinated domains.
What Happened
LLMs routinely invent plausible domains for portals, APIs, and login pages that were never registered. According to the team’s newly published phantom squatting research, adversaries now register these domains before defenders can react. As a result, the AI assistant itself becomes the delivery mechanism. No phishing email is needed. The victim simply follows a confident recommendation from a tool their organization already trusts.
Unit 42 stresses that phantom domains defeat reputation-based defenses. A freshly registered domain carries “no threat intelligence history” and looks clean to URL filters. Moreover, blocklists cannot flag infrastructure that nobody has reported yet.
The Montana Empire Case
The standout case involves a phishing kit named Montana Empire. On March 8, 2026, Unit 42’s discovery pipeline flagged a hallucinated domain mimicking a national postal marketplace. Twenty-three days later, an attacker registered that exact domain and deployed the kit. Forensic review of the server also revealed an AI coding assistant project directory. In other words, the attacker used AI to build the kit, while a different AI predicted the domain. The kit’s admin panel even displayed the Turkish motto “Kimseye Güvenme,” meaning trust no one. Operators relayed one-time passcodes and rotated bank account numbers through a Telegram control channel.
Who Is Behind It
Unit 42 has not named a specific group, and authorities have announced no arrests. Instead, the evidence points to several unrelated actors. For example, one suspected operator registered two betting-themed phantom domains within an 18-minute window. Both sites displayed Bengali-language content and processed Bangladeshi Taka, which suggests a regionally focused campaign. Another case involved a suspected credential harvester impersonating a major UAE bank. That domain had allegedly operated for nearly a year before the pipeline independently generated the same address. Attribution rests on infrastructure overlap, so confidence beyond that remains limited.
Impact and Scale
The measured attack surface is enormous. Unit 42 fired 685,339 prompts at two LLMs and collected 2.1 million unique URLs. Roughly 37% pointed to domains that do not exist. After normalization, those errors collapsed into about 250,000 registerable phantom domains. Among live links, malware dominated the malicious set at 67.2%, followed by phishing at 16.2%. Notably, command-and-control infrastructure made up 3%, a direct threat to autonomous AI agents that fetch URLs without human review.
Model choice matters as well. One model hallucinated nonexistent domains at a 44.6% rate, compared with 27.5% for the other. Higher creativity settings pushed hallucination rates up further. However, the share of confirmed malicious links stayed stable near 0.6% across every configuration.
What Comes Next
Phantom squatting cuts both ways, because hallucinations are predictable. Unit 42 anticipated attacker registrations 18 to 51 days in advance by watching its phantom domain watchlist. That lead time gives defenders a rare head start. The report closes with a blunt warning: the question is “whether defenders or adversaries will act first.”
How to Stay Protected
Teams should treat every AI-suggested URL as untrusted input. Verify domains against official documentation before use. Additionally, brands can map their own hallucination surface and defensively register high-risk names. Security teams should also restrict outbound requests from autonomous agents and monitor new registrations that mimic their brand. Finally, developers must never paste AI-generated endpoints into production code without checking ownership first.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.