AI Agents Are Hallucinating Fake Websites, and Hackers Are Buying Them First
Palo Alto Networks researchers have uncovered a new attack vector where artificial intelligence language models generate fake web addresses for legitimate companies, and adversaries are actively registering these nonexistent domains to intercept traffic from AI systems. The phenomenon, called "phantom squatting," represents a fundamental shift in how software supply chains can be compromised, moving beyond traditional attacks on code repositories and build tools.
How Are AI Models Creating Fake Websites?
When you ask an AI coding assistant for documentation links or API endpoints, the model often generates plausible-sounding web addresses that don't actually exist. A developer might ask for a benefits portal URL, and the AI confidently provides something like "hxxps://benefits.company-name.io/portal." The problem: that domain was never registered by the actual company. It exists only in the AI's training data patterns.
Researchers analyzed 913 global brands and ran 685,339 URL queries across two different large language models (LLMs), which are AI systems trained on vast amounts of text to generate human-like responses. This generated 2.1 million URLs and revealed over 13,229 confirmed malicious URLs already being exploited. More concerning, the team discovered approximately 250,000 hallucinated domains that remain unregistered, presenting a significant opportunity for attackers to claim them before defenders even know they exist.
Why Are Traditional Defenses Failing Against This Threat?
Conventional security tools like URL blocklists and threat intelligence feeds rely on detecting malicious activity after it happens. A domain needs to be observed in an active attack campaign, accumulate a reputation score, or appear in historical reports before it gets flagged as dangerous. Phantom domains bypass all of this because they're brand new when registered, carrying zero reputation history.
The attack works because AI systems are now active participants in software development workflows. Developers trust the URLs their AI assistants provide and integrate them directly into production code. Enterprise continuous integration and continuous delivery (CI/CD) pipelines, which automate software deployment, increasingly use AI assistants to recommend third-party service endpoints. When an AI generates a URL, downstream systems often execute requests against it without independent verification, treating the AI's output as authoritative.
How Does the Phantom Squatting Attack Actually Work?
Researchers identified a four-phase attack lifecycle that threat actors follow:
- Discovery Phase: Attackers systematically query AI models with realistic prompts to map which fake domains the models will generate for a target brand, building an inventory of potential attack targets.
- Registration Phase: Adversaries preemptively register the most valuable hallucinated domains before defenders can react, often completing registration and deploying malicious content within hours.
- Luring Phase: The AI model itself becomes the delivery mechanism, directing developers and autonomous agents to the attacker-controlled domain through its generated URLs.
- Bypass Phase: The fake domain carries no threat intelligence history, lacks blocklist entries, and appears legitimate because it matches the language patterns the AI model naturally produces.
One real-world case demonstrates the full attack cycle: an attacker used an AI coding assistant to build a complete phishing kit called Montana Empire. This kit targeted a domain that Palo Alto Networks' detection pipeline had identified as a high-risk hallucination target 23 days earlier, showing that researchers can sometimes predict which domains will be exploited before attackers even register them.
What Makes This Different From Previous Supply Chain Attacks?
For decades, software supply chain attacks focused on predictable targets: tampered build tools, malicious code dependencies, and compromised update servers. Defenders built protections around these known attack surfaces using package integrity checks, signed binaries, and dependency auditing tools. But this model is becoming obsolete because LLMs are no longer peripheral utilities; they're now central to how developers work.
When an LLM produces a URL, that artifact may be ingested directly by autonomous AI agents that retrieve the resource, integrated by developers into production-grade code, suggested as the authoritative endpoint for third-party services, or included in documentation generated through large-scale automation. In each case, the LLM functions as a trusted supply chain dependency, making it susceptible to systematic exploitation.
Steps to Reduce Your Organization's Phantom Squatting Risk
- Verify AI-Generated URLs: Don't trust URLs generated by AI assistants without independent verification. Check that domains are registered to the company they claim to represent before integrating them into code or configuration files.
- Implement URL Filtering Beyond Reputation: Deploy security tools that can identify suspicious domains even when they carry no threat history, rather than relying solely on blocklists and reputation scores that require historical malicious activity.
- Add Guardrails to AI-Assisted Workflows: When using AI coding assistants or autonomous agents in CI/CD pipelines, establish approval workflows that require human review before AI-recommended endpoints are used in production systems.
- Monitor Brand Hallucinations: Proactively query your own brand against popular AI models to identify which fake domains the models generate, then monitor domain registration services to detect when adversaries claim these phantom domains.
- Establish Cross-Team Communication: Create processes where security teams share lists of hallucinated domains with development teams so engineers understand which AI-generated URLs represent genuine risks.
The research reveals that this threat is not theoretical. Palo Alto Networks detected real-world exploitation across multiple sectors, with attackers operating at significant speed. In the Montana Empire case, the adversary had even staged the server-side phishing kit before registering the domain, demonstrating a highly optimized attack strategy.
As AI becomes more embedded in software development, the attack surface expands in ways traditional defenses weren't designed to address. The structural advantage of phantom squatting over legacy phishing is that the fake domain is born clean, matching the language patterns that make the AI's output seem legitimate in the first place.