AI-Powered Website Builder Lovable Exploited for Cybercriminal Activities

AI website builder Lovable increasingly abused for malicious activity

Cybercriminals are increasingly abusing the AI-powered Lovable website creation and hosting platform to generate phishing pages, malware-dropping portals, and various fraudulent websites. The malicious sites created through the platform impersonate large and recognizable brands, and feature traffic filtering systems like CAPTCHA to keep bots out. While Lovable has taken steps to better protect its platform from abuse, as AI-powered site generators increase in number, the barrier to entering cybercrime continues to drop. Since February, cybersecurity company Proofpoint "observed tens of thousands of Lovable URLs" that were delivered in email messages and were flagged as threats. In a report today, the researchers describe four malicious campaigns that abused the Lovable AI website builder. One example is a large-scale operation that relied on the phishing-as-a-service platform known as Tycoon. Emails contained Lovable-hosted links that opened with a CAPTCHA and then redirected users to fake Microsoft login pages featuring Azure AD or Okta branding. These sites harvested user credentials, multi-factor authentication (MFA) tokens, and session cookies through adversary-in-the-middle techniques. During the campaigns, the threat actor sent hundreds of thousands of messages to 5,000 organizations. A second example was a payment and data theft campaign that impersonated UPS, sending nearly 3,500 phishing emails with links that directed victims to phishing sites. The sites asked visitors to enter personal details, credit card numbers, and SMS codes, which were then sent to a Telegram channel controlled by the attacker. The third is a cryptocurrency theft campaign that impersonated the DeFi platform Aave, sending out close to 10,000 emails via SendGrid. Targeted users were led to Lovable-generated redirects and phishing pages designed to trick them into connecting their wallets, likely followed by asset drainage. The fourth case concerns a malware delivery campaign distributing the remote access trojan zgRAT. Emails contained links that led to Lovable apps posing as invoice portals, which delivered RAR archives hosted on Dropbox. The files included a legitimate signed executable alongside a trojanized DLL that launched DOILoader, ultimately loading zgRAT. Lovable introduced real-time detection of malicious site creation in July, and also automatically scans published projects daily to spot and delete any fraud attempts. The developer also stated that it plans to introduce additional protections this fall, which would proactively identify and block abusive accounts on the platform. Guardio Labs confirmed to BleepingComputer that Lovable can still be used to create malicious sites. In a recent test, the researchers generated a fraudulent site to impersonate a large retailer and encountered no objection from the platform. BleepingComputer has contacted Lovable to ask about the effectiveness of the existing anti-abuse measures on the platform, but a comment wasn't immediately available.

Top AI website builder Lovable hit in worrying cyberattack - here's what we know

Lovable is introduction different protections to combat the threat Lovable, a popular AI website builder which allows users to craft quality websites by talking to the platform, is being heavily abused in different cybercriminal activities, experts have warned. Security researchers at Proofpoint have revealed how, since February 2025, they have seen "tens of thousands" of Lovable URLs used in malicious campaigns, being distributed through phishing emails. "Cybercriminals are increasingly using an AI-generated website builder called Lovable to create and host credential phishing, malware, and fraud websites," Proofpoint said in its report. The company added it has observed, "numerous campaigns leveraging Lovable services to distribute multifactor authentication (MFA) phishing kits like Tycoon, malware such as cryptocurrency wallet drainers or malware loaders, and phishing kits targeting credit card and personal information." Ever since the emergence of the first ChatGPT version, security researchers have been warning about AI tools lowering the barrier for entry into cybercrime. At first, threat actors used Generative AI to craft convincing phishing emails, or write malware code quickly and efficiently. However, since website builders started integrating AI as well, criminals found a new toy to play with. In February 2025 alone, Proofpoint claims to have seen a campaign leveraging file sharing themes to distribute credential phishing, which included "hundreds of thousands of messages" and impacted more than 5,000 organizations. Fortunately, Lovable isn't sitting with its hands crossed. One credential phishing cluster with hundreds of domains was taken down by Lovable the same week it was reported. The company also told Proofpoint it recently implemented AI-driven security protections to make building phishing sites impossible, including real-time detections to prevent creation of malicious websites as users prompt the tool, and automated daily scanning of published projects to flag potentially fraudulent projects.