DOI hijacking, explained

A quick refresher on DOIs

A DOI (Digital Object Identifier) looks like 10.1038/s41586-024-07421-0. Resolve it through https://doi.org/and it should always take you to the same paper. Because it's the most authoritative part of a reference, people tend to trust it — and skip checking where it actually leads.

Hijacked vs. invented

There are two ways a DOI goes wrong, and they fail differently:

• Invented— the DOI doesn't resolve to anything. Annoying, but easy to catch: the link is simply dead.
• Hijacked — the DOI resolves perfectly, just to a differentreal paper than the reference describes. The link “works,” so a quick glance passes it. This is the dangerous one.

Why it happens

When an AI model fabricates a reference, it often pairs an invented title with a DOI that has the right shape — and that string frequently belongs to a real, unrelated paper. Studies of model-generated citations have found that a large share of fake DOIs resolve to a genuine but different work. The model isn't being clever; it's producing a plausible-looking identifier, and plausible-looking identifiers often already exist.

Why it's the hardest to catch

Most quick checks — and even some automated tools — only ask “does this title exist?” or “does this DOI resolve?” A hijacked DOI passes both: the title may be real, and the DOI definitely resolves. Catching it requires comparing the work the DOI points to against the rest of the reference and confirming they describe the same paper. That cross-check is the gap the largest published audits explicitly set aside — and the class Hallucite is built around.

How to spot one yourself

Open the DOI and read the destination's title and authors — don't assume a working link is a correct link. If the page that loads doesn't match the reference, the DOI has been hijacked. For a whole bibliography, an automated cross-reference check is far faster; see how verification works or the full checking checklist.