When AI hallucinates a link, the scammer has already registered it: how 'HalluSquatting' is born

🕒 Published on Zendoric: July 15, 2026 · 08:41
A Business Standard video explains how cybercriminals exploit chatbot hallucinations—websites and software packages the AI makes up—to plant traps with identical names. The phenomenon, dubbed here 'Phantom Squatting' and 'HalluSquatting,' already has a documented precedent: 'slopsquatting' in code packages.
By Business Standard · July 15, 2026.
The original material is an explanatory video, brief and without detailed technical development, but the fact it points to deserves attention: AI chatbots not only make one-off errors, they sometimes "hallucinate" names of websites, brands or software packages that do not exist. The problem is that this invention does not stay in the chat. As the piece describes, attackers identify which invented names the models repeat most frequently —labeled here as "Phantom Squatting" and "HalluSquatting"— and register those domains or publish those fake packages in advance, waiting for a user (or a developer) to copy and paste what the chatbot recommended without verifying it.
As sector context, this dynamic is not an isolated oddity: in programming it has long been known as "slopsquatting," and several security studies have shown that language models, when generating code, recommend with some regularity libraries that simply do not exist in the official repositories. All it takes is for an attacker to register that nonexistent library under the same name and add malicious code to it for any developer who blindly trusts their AI assistant's suggestion to unknowingly install a backdoor. The variant aimed at websites and brands that this video describes is the same logic applied to the end user: if the chatbot misremembers a support URL or a download link, phishing already has the ground prepared.
Our reading is that this type of attack fits a pattern we have been flagging in cybersecurity: the immediate risk from AI does not come from science-fiction scenarios but from the cheap automation of everyday fraud exploiting very specific blind spots —in this case, models' tendency to fill knowledge gaps with plausible but false answers instead of admitting they do not know. It is a design problem (how models are trained and verified) as much as one of usage hygiene (verifying links and packages before running them), and it will foreseeably push AI makers and domain/package registrars to reinforce preventive controls, such as automatically blocking or monitoring names that the models themselves frequently hallucinate.
In the long term, this does not change our underlying thesis: the very AI that generates this vulnerability today is also the most effective tool to detect and neutralize it at scale —analyzing hallucination patterns, verifying that packages actually exist before suggesting them, or flagging suspicious domains in real time. But in the short term, the lesson is simple and requires waiting for no breakthrough: do not blindly trust a link, a library or a support contact just because a chatbot wrote it with confidence.
🔗 Related on Zendoric
- When the patient arrives at therapy with their chatbot: the APA flags a dynamic the profession cannot ignore · 2026-06-30
- Relationships with AI are already a real social phenomenon, not science fiction: the question is how to govern the risk · 2026-07-02
- Cloudflare and AWS put a price on the web: agentic AI starts paying for every click it makes · 2026-07-14


