Top AI website builder Lovable hit in worrying cyberattack - here's what we know

News
By published

Crooks are abusing Lovable to generate convincing phishing sites

Main page of the Lovable AI no-code platform
(Image credit: Lovable)
  • Hackers are using AI-powered website builders to quickly craft phishing sites
  • Thousands of organizations have already been targeted
  • Lovable is introduction different protections to combat the threat

Lovable, a popular AI website builder which allows users to craft quality websites by talking to the platform, is being heavily abused in different cybercriminal activities, experts have warned.

Security researchers at Proofpoint have revealed how, since February 2025, they have seen “tens of thousands” of Lovable URLs used in malicious campaigns, being distributed through phishing emails.

“Cybercriminals are increasingly using an AI-generated website builder called Lovable to create and host credential phishing, malware, and fraud websites,” Proofpoint said in its report.

Lovable strikes back

The company added it has observed, "numerous campaigns leveraging Lovable services to distribute multifactor authentication (MFA) phishing kits like Tycoon, malware such as cryptocurrency wallet drainers or malware loaders, and phishing kits targeting credit card and personal information.”

Ever since the emergence of the first ChatGPT version, security researchers have been warning about AI tools lowering the barrier for entry into cybercrime.

At first, threat actors used Generative AI to craft convincing phishing emails, or write malware code quickly and efficiently. However, since website builders started integrating AI as well, criminals found a new toy to play with.

In February 2025 alone, Proofpoint claims to have seen a campaign leveraging file sharing themes to distribute credential phishing, which included “hundreds of thousands of messages” and impacted more than 5,000 organizations.

Fortunately, Lovable isn’t sitting with its hands crossed. One credential phishing cluster with hundreds of domains was taken down by Lovable the same week it was reported.

The company also told Proofpoint it recently implemented AI-driven security protections to make building phishing sites impossible, including real-time detections to prevent creation of malicious websites as users prompt the tool, and automated daily scanning of published projects to flag potentially fraudulent projects.

You might also like

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.