Skip to main content
AI Models Hallucinated 40,000 Fake Domains. Attackers Registered Them.Incident
3 min readFor Security Engineers

AI Models Hallucinated 40,000 Fake Domains. Attackers Registered Them.

What Happened

Large language models (LLMs) often generate fake web domains when users request brand recommendations or technical documentation links. These hallucinated domains—plausible-sounding URLs that don't exist—create a new attack vector called "phantom squatting."

Attackers monitor LLM outputs, identify frequently hallucinated domains, and register them before the actual companies do. When users click on AI-generated links, they are directed to attacker-controlled sites. This threat goes beyond phishing; attackers can serve malicious packages, intercept credentials, or inject supply chain compromises into workflows.

The core issue isn't a software bug but a fundamental trait of LLMs—they predict plausible sequences without verifying existence. When a model suggests "download-pytorch-models.com" or "npm-security-tools.io," it's creating a domain name that fits linguistic patterns but isn't real.

Timeline

This is an ongoing exposure:

Current State: LLMs hallucinate domains in response to common queries about brands, tools, and services. This behavior is consistent across major platforms.

Attack Window: The time between a model hallucinating a domain and its registration. For popular brands, this window can be hours or days; for niche queries, weeks or months.

Detection Lag: Most organizations don't monitor domains LLMs hallucinate in their name. You might not know about a phantom domain until a user reports it or it appears in threat intelligence feeds.

Which Controls Failed or Were Missing

Input Validation and Output Verification: No validation layer exists between LLM output and user action. When your AI assistant generates a URL, nothing verifies that it resolves to your organization or a trusted partner.

Supply Chain Vetting: Development teams trust LLM-generated package names and URLs without verification. If your AI coding assistant suggests "pip install security-scanner-pro" with a link to a hallucinated PyPI mirror, your build pipeline might fetch it automatically.

Brand Monitoring: Traditional domain monitoring watches for typosquatting but doesn't catch domains that might be hallucinated into existence by AI models.

User Education Gaps: Your security training covers phishing but likely doesn't cover verifying URLs generated by AI.

Third-Party Risk Assessment: When evaluating vendors, you likely haven't asked: "What domains do LLMs hallucinate when users query your product name?"

What the Relevant Standard Requires

ISO/IEC 27001:2022 Annex A.5.23 requires identifying and managing risks from third-party services like LLMs. If you're using them in applications, you need documented risk assessment and mitigation controls.

NIST Cybersecurity Framework v2.0 ID.RA-1 applies here. A domain that an LLM might hallucinate in your organization's name is a potential vulnerability. You need a process to identify these exposures.

PCI DSS v4.0.1 Requirement 6.3.2 doesn't explicitly mention LLM hallucinations, but the principle extends: if you're building applications that incorporate LLM outputs, you're responsible for validating that output.

OWASP Top 10 for LLMs lists "LLM10: Model Theft and Manipulation" and related supply chain risks. While not a compliance standard, it provides a framework for AI-specific vulnerabilities.

Lessons and Action Items for Your Team

Implement URL Verification for AI Outputs: If you're using LLMs, add a validation layer. Verify URLs resolve to expected domains before displaying them to users. Maintain a whitelist of legitimate domains.

Monitor What LLMs Say About Your Brand: Query major LLM platforms with your product names and document generated domains. Register plausible ones defensively or monitor them for third-party registration.

Update Your Supply Chain Verification: Add verification steps to your build pipeline. Check that package sources match your approved list. Require manual review for new dependencies.

Extend Security Awareness Training: Add a module on AI-generated content risks. Teach your team to verify URLs before clicking, even from trusted tools.

Review Vendor AI Usage: Ask vendors what LLMs they use and how they validate AI-generated outputs. If a vendor's chatbot is hallucinating domains, that's your risk too.

Document Your AI Risk Register: Include phantom squatting alongside other AI-related vulnerabilities. Assign ownership and review frequency.

Defensive Domain Registration: Proactively register common hallucination patterns for critical brands and products. Redirect them to your legitimate properties.

You can't stop LLMs from hallucinating domains, but you can prevent those hallucinations from becoming attack infrastructure. Start with verification layers on your AI implementations, then expand to monitoring and defensive registration. Make your attack surface visible.

Topics:Incident

You Might Also Like