Phantom Squatting Lets Hackers Buy the Fake Websites Your AI Invents

Ethical Hacking Complete Course Zero to Expert
Hack like black hat hackers. Penetration testing, Kali Linux, WiFi and web hacking, and the hacker mindset behind it.
→ Take the full courseYour AI assistant just sent you to a login page that did not exist a few weeks ago, and the person who registered it is already collecting the passwords people type in.
You trust the link because it came from your AI. That trust is the attack itself, and it works without a single phishing email.
It has a name now: phantom squatting. Security researchers wrote it up this week. The idea is simple once you see it.
When you ask an AI for a support page, a login portal, or a download link, it does not go and check whether that address exists. It guesses what the address probably looks like, the same way it guesses the next word in a sentence, and hands you a clean, professional looking link. Often it is right. Sometimes the address is completely made up, a domain that was never registered.
Attackers worked out that these made-up addresses are predictable. Ask the same kind of question and the model keeps inventing the same fake domain. So the attacker registers it first, for a few dollars, puts a phishing page on it, and waits for the AI to send people over.
And it barely costs anything. Nearly half of the domains attackers register for this kind of abuse go for two dollars or less, some for under a dollar, sometimes paid with a stolen card.
Because the attacker can see in advance which address the AI will recommend, they do not have to register thousands of lookalikes and hope someone slips. They register the few the AI keeps handing out. A phishing page costs next to nothing to host, and whatever it grabs can be sent straight out through free messaging tools. A couple of dollars in, and one working campaign pays for itself many times over in stolen cards and logins.
The numbers from the study:
- โ 685,339 questions asked to two AI models, across 913 well-known brands
- โ 2.1 million web addresses generated inside the answers
- โ 13,229 of those already pointed at known malicious sites, mostly malware and phishing
- โ around 250,000 of the invented domains had no owner yet, sitting there for whoever registers them first
These models have a setting that controls how predictable or how creative the answers come out. Turn it toward creative and the AI makes up more of these fake addresses. The ones to worry about, though, are the addresses that keep coming back even on the most careful, factual setting. Those are the ones the AI serves a normal user as good as fact, and those are the ones an attacker registers first.
Your security tools should catch a site like this. Most of them cannot, because they go on reputation. A website has to get caught doing something bad before it lands on a blocklist. A phantom domain has no past to catch. It has never done a thing.
The moment the attacker switches it on, there is nothing to flag it on. No blocklist has heard of it yet. Researchers call this the zero-reputation bypass. The site looks clean because the name came out of the AI itself, the same place the rest of the answer came from. By the time the security tools catch up, the AI has already sent people there.
Phantom squatting did not appear out of nowhere. It is the domain version of a trick that already has a track record with software packages, and that older trick is called slopsquatting.
When you write code with an AI assistant and ask it to pull in a library, it sometimes recommends a package that does not exist. Same trick as the fake domains. The model makes up a name that sounds right.
A study presented at USENIX Security 2025 put 16 code-writing models to work and looked at the packages they suggested across 576,000 pieces of code. Of the 2.23 million suggestions that came out, 19.7 percent pointed to a package that did not exist. That is 205,474 different made-up names.
And they were not random. When the researchers asked the same question ten times, 43 percent of the fake names came back in all ten runs. A name the model keeps inventing is a name worth registering.
It goes further than one model repeating itself. Different AI models, from different companies, make up the same name on their own. When several of them agree on an address that was never registered, that address becomes a near-certain target.
The proof that this works came earlier. In 2024, a security researcher named Bar Lanyado noticed AI models kept recommending a Python package called huggingface-cli. The genuine tool installs a different way.
The correct command:
| |
The one the AI kept inventing:
| |
Lanyado uploaded an empty package under that invented name, just to see what would happen. It was downloaded more than 30,000 times in three months. Developers at large companies, including Alibaba, had copied the fake install command straight into their own project instructions. The package was harmless because he made it harmless. A malicious copy would have carried a payload, and it would have landed on tens of thousands of machines.
It gets worse once AI agents are doing the work. In January 2026, researchers found a made-up package name, react-codeshift, spreading on its own through the tools developers use. No hacker put it there. It traced back to a batch of 47 AI-generated files that shipped without review.
A person might notice a strange command and stop. An agent just runs it. And some of these fake addresses do not lead to a login page at all. They lead straight to the servers attackers use to run their malware, so an agent that opens one is talking to the attacker with nothing in between.
Researchers caught one case that shows the full circle. On March 8, 2026, their system predicted a fake domain for a national postal service’s online shop. Twenty-three days later, on March 31, an attacker registered that exact domain and put a phishing kit on it. When the researchers pulled the kit apart, they found the attacker had built it with an AI coding assistant. So the defenders found the address through AI, the attacker built the attack through AI, and both landed on the same made-up domain.
The kit had a name, Montana Empire, and whoever built it knew what they were doing. It copied the live storefront so it stayed identical, grabbed credit card and bank details, passed one-time codes to the attacker through a Telegram bot as they came in, and its control panel even carried a message meaning trust no one.
You might expect the AI companies to just fix this. The models have improved since 2024 and they make up fewer of these fake names than they used to.
But researchers ran the test again in 2026 on five of the newest models, from five different companies. All five made up the same 127 package names. Sharper models, and still the same shared mistake.
The problem has not gone away, and it is not going to, because it is not a bug sitting in the code. It comes from the way a language model works. It predicts what an address should look like, and it does not check whether that address exists. As long as that stays true, it keeps handing out believable addresses that were never registered. And the more AI tools people lean on, the more targets there are to grab.
So what do you do about this.
For everyday AI users:
- โ Do not trust a link just because the AI gave it to you
- โ Check the domain is the official one before you type a password or paste it anywhere
- โ Type important addresses yourself instead of clicking the generated one
- โ Do not let AI agents open or download from generated links without you looking first
For developers:
- โ Before you install a package an AI suggested, confirm it exists and check who published it
- โ Look at the publish date and download history, a brand new package with a familiar name is a warning sign
- โ Use lockfiles so nothing new slips into a build without review
- โ Run
pip-auditornpm auditin your pipeline before you merge
The pattern behind these attacks is the same. The AI sounds sure of itself, the name looks right, and a name that looks right and sounds sure is what gets copied without a second look. That habit is what the attackers are counting on.
This is the kind of thing I break down in my ethical hacking course. How attackers think, how they find the gap between what looks safe and what is safe, and how to spot it before it costs you. You also learn to check a domain the way an investigator does, using
WHOISlookups that show who registered it and when, so a freshly bought lookalike gives itself away: โ Join my complete ethical hacking course
Hacking is not a hobby but a way of life.
Sources:
Stay updated
Get the latest posts in your inbox every week. Ethical hacking, security news, tutorials, and everything that catches my attention. If that sounds useful, drop your email below.