Unit 42 finds 13,000 live phishing domains LLMs hallucinate into existence
Palo Alto Networks researchers documented attackers registering domains that large language models frequently invent, turning AI hallucinations into phishing infrastructure without needing to lure victims.

Unit 42, the threat intelligence team at Palo Alto Networks, documented a new fraud vector called "phantom squatting" in which attackers register domain names that large language models hallucinate when users ask for URLs. The technique exploits the tendency of LLMs to invent nonexistent addresses — often following predictable patterns like appending _download or _installer to legitimate domains — and turns those fabrications into phishing sites. The researchers identified more than 13,000 malicious domains already registered and live, each one a URL that models have repeatedly hallucinated in response to common queries.
The attack surface is enormous. Unit 42 found roughly 250,000 additional unregistered domains that models invent with regularity, a ready-made shopping list for scammers. Unlike typosquatting, which relies on users mistyping a URL themselves, phantom squatting requires no user error — the LLM delivers the bad link unprompted, and the victim clicks it believing the model retrieved a legitimate resource. The hallucinated domains often mimic software download pages, package repositories, or documentation sites, contexts where users expect to follow links without additional verification.
The findings arrive as enterprises integrate LLM-based search and retrieval into customer-facing workflows, often without guardrails that check whether a generated URL resolves to a known-good domain. Phantom squatting scales with model adoption: the more users rely on LLMs to surface links, the more traffic flows to these phantom sites. Unit 42's dataset shows attackers are already monetizing the pattern, with phishing kits, malware droppers, and credential harvesters hosted on domains that exist solely because a model invented them.
Defenses are still nascent. Real-time URL validation layers could flag domains not present in curated allowlists, though that risks breaking legitimate new sites. Model providers could train on negative examples — penalizing hallucinated URLs during fine-tuning — but the 250,000-domain backlog suggests the problem is already too distributed for any single mitigation to solve cleanly. Browser vendors and enterprise security suites will likely begin shipping phantom-domain blocklists in the coming months, and the first lawsuits naming model providers as liable parties when users land on malware via a hallucinated link may not be far behind.


