Key Takeaways:

• Lovable, an AI-powered site builder, has been heavily abused by cybercriminals for phishing, malware delivery, and scams.
• Proofpoint researchers report tens of thousands of malicious URLs hosted on Lovable since early 2025.
• Campaigns impersonated Microsoft, UPS, and DeFi platforms, with some spreading malware like zgRAT.
• Lovable has begun rolling out real-time detection and daily scanning, with further safeguards planned.
• Enterprises and individuals are advised to strengthen MFA use, improve detection, and verify suspicious links.

Launched in late 2024, Lovable was marketed as a no-code AI tool to generate full-stack websites in seconds. It quickly became popular among developers, hobbyists, and businesses for its simplicity and hosting features. However, that same accessibility is now being leveraged by threat actors who see Lovable as a fast, inexpensive way to launch convincing malicious campaigns.

According to Proofpoint, since February 2025 researchers have identified tens of thousands of malicious sites built on Lovable. The tool’s ease of use—allowing anyone to publish fully functional web apps with little technical knowledge—has lowered the barrier for phishing-as-a-service operators and small-scale cybercriminals alike.

Phishing and Malware Campaigns on the Rise

One of the largest campaigns traced to Lovable was linked to Tycoon, a phishing-as-a-service platform. Attackers used Lovable to create fake Microsoft login portals that mimicked Azure AD and Okta pages. These were delivered through hundreds of thousands of phishing emails targeting over 5,000 organizations. Victims were directed through CAPTCHA challenges before being presented with adversary-in-the-middle credential theft pages designed to steal logins, MFA tokens, and session cookies.

Another campaign impersonated UPS, delivering around 3,500 phishing emails that pointed to Lovable-built pages designed to harvest names, addresses, credit card details, and SMS codes. The stolen information was forwarded to attackers via Telegram, making the scams difficult to trace.

Meanwhile, cryptocurrency users were also targeted. Nearly 10,000 phishing emails posed as DeFi platform Aave, pushing victims to connect wallets on deceptive Lovable-hosted pages. Connecting wallets to these malicious dApps likely resulted in asset theft.

Beyond phishing, some Lovable sites have been used to distribute malware. Hackers weaponized the platform to spread the remote access trojan zgRAT, often disguised as invoices or other business documents. Once installed, zgRAT provides attackers with persistent access to a victim’s system.

Lovable’s Security Response

When malicious campaigns first surfaced, Lovable had little in place to stop abuse. The platform allowed users to design sites without restrictions, including pages imitating credential login portals. That open structure gave criminals free rein to spin up fraudulent sites faster than defenders could block them.

By July 2025, Lovable announced new security controls. These include real-time detection during site creation, daily automated scanning of projects, and planned upgrades to account-level protections later in the year. While these steps are a move toward proactive defense, researchers caution that free, low-friction site builders will remain appealing to threat actors until stronger safeguards are standard.

Implications for Enterprises and Users

The rapid adoption of tools like Lovable shows how AI can accelerate legitimate innovation—and cybercrime. For organizations, it underscores the need for layered defenses beyond email filters and URL blocklists, which often fail to keep up with dynamically generated domains.

Security experts recommend:

• Enforcing multifactor authentication across enterprise accounts.
• Using advanced detection systems capable of identifying AI-generated malicious domains.
• Training staff to spot phishing attempts, especially those that mimic familiar brands.
• Sharing intelligence about active Lovable-hosted threats with peers and providers.

For individuals, the advice is straightforward: remain skeptical of links received via email or text, even if they pass initial legitimacy checks such as CAPTCHAs or professional design.

Conclusion

Lovable was designed to make building websites fast and accessible, but cybercriminals have exploited that same simplicity to run widespread phishing, crypto scams, and malware campaigns. The company has started to implement stronger protections, yet the cat-and-mouse dynamic between attackers and defenders remains. Until AI-powered platforms like Lovable integrate comprehensive safeguards, enterprises and users alike must remain vigilant against the growing wave of low-effort but high-impact online threats.

Learn how AI Agents can supercharge your company’s profits and productivity at TMC’s AI Agent Event Sept 29-30, 2025 in DC.

Rich Tehrani serves as CEO of TMC and chairman of ITEXPO #TECHSUPERSHOW Feb 10-12, 2026 and is CEO of RT Advisors and is a Registered Representative (investment banker) with and offering securities through Four Points Capital Partners LLC (Four Points) (Member FINRA/SIPC). He handles capital/debt raises as well as M&A. RT Advisors is not owned by Four Points.

The above is not an endorsement or recommendation to buy/sell any security or sector mentioned. No companies mentioned above are current or past clients of RT Advisors.

The views and opinions expressed above are those of the participants. While believed to be reliable, the information has not been independently verified for accuracy. Any broad, general statements made herein are provided for context only and should not be construed as exhaustive or universally applicable.

Portions of this article may have been developed with the assistance of artificial intelligence, which may have contributed to ideation, content generation, factual review, or editing.