The AI Invented 250,000 Fake Websites — Crooks Are Buying Them Before You Can

:ghost: The AI Made Up 250,000 Fake Websites — Hackers Are Buying Them Before You Can

Ask a chatbot for a company’s website. Sometimes it invents an address that doesn’t exist. Turns out crooks are camping on those made-up addresses waiting for you to walk in.

913 brands tested → 2.1 MILLION web addresses spat out → ~250,000 of them totally fake and up for grabs → hackers get an 18-to-51 day head start.

Palo Alto’s security crew (Unit 42) calls it “phantom squatting.” Full breakdown here: Unit 42 report · The Hacker News writeup

Ghost GIF

Look, here’s the thing. When you ask a chatbot “what’s the website for Brand X,” it doesn’t always know. Sometimes it just… guesses. Makes up a web address that sounds right. Feels right. And is 100% fake.

Now imagine thousands of people asking that same question every day, and the bot spits out the same fake address every time. That fake address is now a goldmine — because a pile of humans are gonna go there. The bad guys figured this out. They buy the fake address, throw up a fake login page, and just wait. You show up thinking it’s legit. You type your password. Game over.

Real talk: this is one of the cleanest scams I’ve seen in a minute. And there’s a legal way to flip it, which I’ll get to.

🧩 Dumb Mode Dictionary (read this first, takes 20 seconds)
Fancy Word What It Actually Means
Domain A website address. Like nike.com. That’s it.
Hallucination When AI confidently makes up something that isn’t true. Here: inventing a website that doesn’t exist.
Phantom squatting Buying a fake address the AI invented, then sitting on it to trap people. “Squatting” = camping on a property that’s not really yours.
Phishing kit A ready-made fake login page in a box. Copy, paste, steal passwords. No skills needed.
Supply chain The chain of tools/companies you trust without checking. One weak link and everyone downstream gets hit.
Temperature An AI setting for how “creative” (random) it gets. They tested every setting — the fake address showed up on ALL of them.
👻 So what actually happened? (the short version)

Unit 42 (the research arm of security giant Palo Alto Networks) ran a giant experiment. They asked two big AI systems about 913 real brands — over 685,000 questions total.

The bots coughed up 2.1 million web addresses. And here’s the kicker:

  • 13,229 were already flagged as dangerous.
  • Around 250,000 were completely made-up addresses that nobody owns yet — just sitting there, free to claim.

The AI keeps inventing the SAME fake addresses over and over. So crooks don’t have to guess. They just watch what the bot hallucinates, buy that address, and set the trap. Dark Reading called it a full-on supply chain threat.

🕵️ The one real case that'll make your skin crawl

There’s a phishing operation Unit 42 nicknamed “Montana Empire.”

  • March 8, 2026 — the AI systems hallucinate a fake address that looks like a national postal service’s shopping site. Same fake address, every setting, both AI brands.
  • March 31, 2026 — a crook registers that exact address and slaps a fake marketplace login page on it.
  • The crook even used an AI coding helper to build the fake page targeting the exact address the AI predicted. AI setting the trap for AI. Wild.

That’s a 23-day gap between “the AI started lying about this address” and “a criminal bought it.” In other cases the gap ran 18 to 51 days. (cybernews has more examples.)

That gap? That’s the whole story. Hold that thought.

📊 The receipts (numbers that matter)
Thing Number
Brands tested 913
Questions asked to AI 685,339
Web addresses the AI produced 2.1 million
Already-dangerous ones 13,229
Made-up + unclaimed (up for grabs) ~250,000
Head-start hackers get 18–51 days
AI settings the fake address showed up on ALL of them

Source: Unit 42’s full research and gbhackers coverage.

🗣️ What the timeline's saying
  • Security folks are calling it the natural evolution of “typosquatting” (buying gooogle.com to catch typos) — except now the AI does the typo for the victim.
  • The scary part everyone keeps repeating: the AI is consistent. It doesn’t hallucinate randomly. It hallucinates predictably. Which means the fake addresses are basically a leaked list of future crime scenes.
  • The hopeful part: because it’s predictable, the good guys can see it coming weeks earlySC Media laid this out clearly. And that’s exactly where regular people can step in.

Cool. The Robot’s Inventing Fake Websites and Crooks Are Camping On Them… Now What the Hell Do We Do? (ง •̀_•́)ง

Haunted house GIF

Here’s the beautiful part. That 18-to-51 day gap means the AI tells you where the crime WILL happen before it happens. You don’t need to be a hacker. You need to be fast and first. Five ways to play it, none of them illegal:

🪟 The Head-Start Land Grab

The AI hallucinates the same fake addresses over and over. Anyone can go ask a free chatbot “what’s the website for [Brand]?” a hundred times and write down every address it invents. Then check which of those addresses are still unclaimed. The unclaimed ones are the empty houses hackers haven’t robbed yet.

You register the cheap ones ($10 each on Namecheap) and point them straight to the brand’s REAL website. You just protected their customers — and now you’ve got a conversation starter to sell them protection.

:brain: Example: A 24-year-old IT student in Nigeria asks free chatbots for the fake addresses of 40 local banks, finds 6 unclaimed hallucinated ones, buys them for ~$8 each, and emails each bank’s security team: “Your customers are being sent to this fake address I’m now holding. Want it? Let’s talk.” Two banks pay him a $400 “finder + transfer” fee each.

:chart_increasing: Timeline: First unclaimed address found in a weekend. Real money in 2–3 weeks. This window closes once brands start scanning for their own phantom addresses — probably 6–12 months. Move now.

📡 The Phantom Watchlist

Don’t buy anything. Just watch. Build a simple running list: pick one industry (say, crypto exchanges), ask the AI for each brand’s site repeatedly, log every fake address it invents, and check daily whether a stranger just registered one (free with whois lookups or domain-monitoring alerts).

The moment a hacker claims a phantom address, YOU already knew it was coming. That’s an early-warning feed worth money to the brand being impersonated.

:brain: Example: A 22-year-old in the Philippines tracks phantom addresses for 15 online casinos. When one gets registered by a shady party, he screenshots the fake login page going live and sells the “you’re being impersonated RIGHT NOW” alert to the casino’s affiliate manager for $250 a pop. Three alerts in a month.

:chart_increasing: Timeline: Setup in a few days. First paid alert within a month. Stays alive as long as you keep the watchlist fresh — burnout is the real enemy, not a patch.

🗂️ Be the Dictionary Nobody Wrote Yet

This whole “phantom squatting” thing is brand new. There is NO simple, plain-English cheat sheet explaining it to normal business owners. So write it. A dead-simple guide: “How to check if AI is inventing fake versions of YOUR website — in 10 minutes, no tech skills.”

First good free guide on this becomes the thing everyone links to when they Google the scary new word. That’s free traffic you can point anywhere.

:brain: Example: A 26-year-old marketer in India writes a clean step-by-step guide, drops it free on Medium and a Reddit r/cybersecurity thread, and puts a “want me to scan your brand for $49?” button at the bottom. The guide ranks, the button converts. $600 first month.

:chart_increasing: Timeline: Guide written in a day. Traffic builds over 4–8 weeks. Golden while the term is new; more people pile in by end of year, so plant your flag early.

🎣 The Brand Scan Side-Gig

Businesses have NO idea AI is inventing fake versions of their site. You do. Offer a one-time “phantom scan”: you ask free chatbots for their website 50 times, screenshot every wrong/fake address it gives, and hand them a tidy report showing which fake addresses are unclaimed (danger) vs. already grabbed (emergency).

You’re using free tools. You’re charging for the knowing what to look for. Classic.

:brain: Example: A 25-year-old freelancer in Brazil DMs 30 small e-commerce shops on Instagram with one screenshot: “This is the FAKE version of your site the AI is telling customers to visit.” Ten reply. Four pay $75 for the full scan-and-report. He does the whole thing with a free chatbot and a spreadsheet.

:chart_increasing: Timeline: First client in a week if you cold-DM hard. Scales to a small service business in 2–3 months. Eventually security firms automate this — you’ve got a solid year of hand-crafted advantage.

🔮 The Reverse Lookout (protect your own stuff)

Not everything’s about selling. If you run ANY site — a store, a newsletter, a small app — go ask the popular chatbots for YOUR address right now. If they invent a fake one, that’s a trap waiting to be built against your own customers. Register the fake address yourself for $10 and redirect it home. You just closed a door before a burglar found it.

Then tell your audience you did it. That story (“I caught the AI lying about my site and shut it down”) is trust gold.

:brain: Example: A 23-year-old running a small Shopify skincare brand in Indonesia finds the AI inventing a .shop version of her store. She grabs it for $9, redirects it, and posts the whole thing as a TikTok. The video does numbers, the store gets a sales bump from the free attention.

:chart_increasing: Timeline: 30 minutes to check and fix. Immediate peace of mind. This one never “expires” — it’s just basic hygiene now, like locking your door.

🛠️ Follow-Up Actions
Want To… Do This
Read the actual research Unit 42 phantom squatting report
Buy cheap addresses to protect Namecheap / Porkbun
Check who owns an address who.is
Find brands to scan for free Ask ChatGPT or Gemini “what’s the site for X?” 50x
Learn phishing tricks to explain them Have I Been Pwned + PhishTank

:high_voltage: Quick Hits

You Want You Do
:ghost: See the danger yourself Ask a chatbot for 5 brands’ sites — watch it invent a fake one
:window: Grab the window Register unclaimed fake addresses for $10, redirect to the real brand
:satellite_antenna: Stay early Build a watchlist, catch hackers the day they register
:fishing_pole: Get paid Sell “phantom scans” to small businesses with a free chatbot + spreadsheet
:crystal_ball: Protect yourself Check YOUR own site’s fake address today, lock the door

The robot’s out here inventing fake addresses and the crooks are moving in first. First one to the empty house wins. Go be first.