AI Website Builder Lovable Abused for Phishing and Malware Scams

Scammers have been spotted abusing AI site builder Lovable to mimic trusted brands, steal credentials, drain crypto wallets, and spread malware.

Cybersecurity researchers at Proofpoint report that cybercriminals are abusing Lovable, an AI-powered website builder, to spin up fraudulent sites in minutes that mimic trusted brands and distribute malware.

Lovable was designed as a user-friendly tool for anyone with limited web development experience. Users simply type a description of the website they want, and the service generates a working site, hosted under the lovable.app domain.

The site offers creating free accounts that come with hosting and a visible “Edit with Lovable” badge, while paid users can hide the badge and attach custom domains. For legitimate users, it is a shortcut to publishing websites quickly. For threat actors, it has become an opportunity to scam unsuspecting people.

Proofpoint has tracked campaigns where Lovable-hosted sites distribute credential phishing kits such as Tycoon, payment data harvesters, and even cryptocurrency wallet drainers.

To test it in detail, researchers found no restrictions when attempting to build their own phishing site using Lovable, including functionality to mimic enterprise login portals. They reported hundreds of thousands of malicious Lovable URLs detected in email data each month since February 2025, with campaigns increasing gradually.

In one campaign from February 2025, attackers used lovable.app URLs to direct victims through a CAPTCHA page before loading a fake Microsoft login. The setup was powered by Tycoon, a Phishing-as-a-Service platform capable of stealing credentials, tokens, and session cookies. Later campaigns imitated HR messages about employee benefits to trick recipients into entering their corporate login details.

Via Proofpoint

According to Proofpoint’s report shared with Hackread.com ahead of publishing on Wednesday, 20, 2025, cybercriminals are also using Lovable to mimic logistics firms and payment services.

In June 2025, Proofpoint spotted a campaign impersonating UPS, with nearly 3,500 messages leading to a fake UPS website that harvested credit card details and personal information, then sent them directly to Telegram. The project template used for this scam was publicly “remixable” on Lovable, meaning anyone could adapt it for new attacks with little effort.

One campaign impersonated DeFi service Aave, tricking victims into connecting their wallets to fraudulent sites created through Lovable. Researchers also identified other cryptocurrency-themed apps built with the tool that appeared designed to steal credit card details or siphon funds from connected wallets.

****Not Just Phishing****

In July 2025, Proofpoint discovered a campaign in German that used Lovable to host a fake invoice download page. Victims who clicked the link were served a trojanized file loader that ultimately delivered the remote access trojan zgRAT. Similar campaigns were later observed in English with minor adjustments to target different organizations.

****Lovable Alerted****

Proofpoint disclosed its findings to Lovable, which responded by correlating the data with its own investigations. According to the company, one phishing cluster with hundreds of domains was taken down in the same week.

Lovable also said it has rolled out AI-driven safeguards, including real-time detection of malicious prompts and daily scanning of published projects, with additional protections for account abuse planned for later this year.