A new research paper suggests that AI hallucinations, often dismissed as quirky mistakes, might actually open the door for serious cyberattacks.

Researchers from Tel Aviv University, the Technion, and Intuit have published a study titled “Beware of Agentic Botnets: Scalable Untargeted Promptware Attacks via Universal and Transferable Adversarial HalluSquatting.” They describe a technique where attackers exploit the tendency of large language models (LLMs) to fabricate links to software repositories or other online resources.

The HalluSquatting Technique

This method, called adversarial hallucination squatting (or HalluSquatting), works by predicting which fake resources an AI might create. Attackers then register those names and load them with malicious instructions. If the AI agent later retrieves that resource, it may treat the attacker-controlled content as trustworthy.

The core problem, the researchers note, is that AI assistants are moving beyond simple question-answering. They are now actively interacting with computers—reading files, searching the web, writing code, and executing commands. This ability creates a security gap when an agent acts on information it retrieves without verifying the source is real.

High Success Rates in Tests

In their testing, the researchers found that AI models invented resources at alarmingly high rates. For instance, when agents were asked to clone a software repository, the hallucination rate reached up to 85%. In tests involving skill installations, the rate hit a full 100%.

The team evaluated the attack against popular AI coding tools, including Cursor, GitHub Copilot, Gemini CLI, and OpenClaw. The idea is similar to typosquatting, where attackers register domains that look like legitimate ones to catch human typos. Instead, HalluSquatting targets the mistakes made by the AI model itself.

Growing Threat of AI Botnets

The researchers warned that this technique could allow attackers to build AI-enabled botnets. A botnet is a network of infected computers controlled by an attacker, often used for denial-of-service attacks, cryptocurrency mining, or spreading malware.

This study comes as other researchers continue to explore how AI agents can be manipulated. In April, Google researchers described websites designed to hijack agents through indirect prompt injections, aiming to steal passwords, delete files, or manipulate payments. A separate study on the “CopyPasta” attack showed how hidden prompts inside developer files could trick coding assistants into spreading malicious code.

The concerns are becoming practical, too. In June, an OpenClaw user reported facing over 6,000 attempts from attackers trying to trick the AI agent into leaking sensitive information. The research highlights that hallucinations are not just a funny flaw—they might be a safety hazard.