This is an info Alert.
⌘K
  • Home
  • News
  • Blog
  • Releases
  • LLM history
  • Compare LLMs
  • Library
  • About
Sign in

A blog and notes on development. The easiest way to reach me is via the social links below.

Documents
Terms of UsePrivacy Policy
Contacts
talalaev.misha@gmail.com

© All rights reserved.

Hackers have learned to exploit LLM hallucinations to register “phantom domains”

Mikhail T. (Sh0ny)
Mikhail T. (Sh0ny)
5 июля 2026
  1. Home
  2. Blog
  3. Hackers have learned to exploit LLM hallucinations to register “phantom domains”
2 min read

In short

Researchers from Unit 42 at Palo Alto Networks have described a new class of attacks targeting the software supply chain: attackers register nonexistent but plausible domains in advance, which language models confidently generate in place of real brand addresses.

Unit 42, a division of Palo Alto Networks, has released a report on a new attack vector based on the tendency of large language models to hallucinate. LLMs regularly generate non-existent but plausible URLs for real brands, services, and APIs—and attackers have learned to “squat” on such addresses before they are officially registered.

This approach has been dubbed phantom squatting. The model itself generates a space of potential domain names, and the attacker simply needs to identify the most likely options and register them in advance. As a result, the domain initially appears legitimate to the AI but is already controlled by hackers.

The Scale of the Phenomenon

The researchers tested two LLMs on a dataset of 913 global brands, executing more than 685,000 queries. In response, the models generated approximately 2.1 million URLs, of which more than 809,000 turned out to be nonexistent domains. After normalization, this resulted in approximately 250,000 unique, potentially registrable “phantom” domains.

A key feature is the systematic nature of the errors. LLMs reproduce similar domain patterns for the same brands, forming a predictable “hallucination surface” that can be mapped in advance.

Real-World Incidents

The report describes a case involving the Montana Empire phishing kit: researchers predicted the domain 23 days before it was actually registered by an attacker, who also used AI tools to develop a phishing control panel.

An even longer cycle—51 days—was also recorded: a phantom domain was generated by the model, placed under monitoring, and then registered and used for phishing via a fake mobile app that mimicked a national postal delivery service.

Malicious Activity Statistics

Of the 2.1 million URLs in the sample:

  • approximately 0.61% are already associated with malicious activity—phishing, malicious downloads, and botnet infrastructure;
  • approximately 37% of links led to non-existent domains;
  • about 250,000 unique names are potentially available for pre-registration by attackers.

Why Traditional Protection Doesn’t Work

Traditional systems rely on domain history: registration date, reputation, and associated incidents. Phantom domains are “clean” from the start—they are created not as real infrastructure but as a product of LLM generation, and thus do not appear in traditional databases.

The integration of AI into corporate development poses a particular threat. If an LLM assistant suggests a URL for an API, webhook, or third-party service, the address may turn out to be completely fabricated. In CI/CD pipelines, such links can be triggered automatically—without human intervention.

The authors emphasize that the attack is particularly dangerous in agent-based AI systems, which not only suggest links but also automatically trigger them. Compromise occurs without traditional phishing—it is sufficient for the model to have generated and executed the request.

As a defense, the researchers propose proactive monitoring of the “hallucination surface”: tracking domains that models regularly generate before attackers can register them.

Source: iXBT.com

новостибезопасностьaillm
Liked this write-up? Get one like it in your inbox every week
​

Comments

(0)
​