Image by Boitumelo, from Unsplash
Free AI Website Tool Becomes A Favorite for Hackers
Reading time: 2 min
Last Updated: Aug 22, 2025
-
![Kiara Fabbri]()
-
![Sarah Frazier]()
Fact-Checked by Sarah Frazier Content Manager
Hackers are abusing AI website tool Lovable to develop fake websites that duplicate trusted companies to steal passwords, financial information and cryptocurrency.
In a rush? Here are the quick facts:
- Proofpoint found tens of thousands of fake Lovable URLs monthly since February 2025.
- Scams mimic Microsoft logins, UPS deliveries, and even crypto platforms.
- Victims risk stolen passwords, financial data, and drained digital wallets.
The AI website builder Lovable has become a preferred tool for cybercriminals who use it to create fake websites for phishing and malware attacks, according to Proofpoint research.
The free website builder service allows users to create sites through text prompts, however cybercriminals use it to create fake websites that impersonate major brands. This allows them to steal personal and financial data, as well as drain cryptocurrency wallets.
“The barrier to entry for cybercriminals has never been lower,” Proofpoint researchers wrote.
Researchers say tens of thousands of malicious ‘lovable[.]app’ URLs have been detected in email threats each month since February 2025.
Proofpoint describes how in a major campaign, attackers used CAPTCHA puzzles to direct victims toward fake Microsoft login pages that stole passwords, multifactor authentication tokens, and cookies using the Tycoon phishing kit. In another campaign, the attackers used fake UPS shipping notifications to steal payment information, which they then transmitted to criminal Telegram accounts.
Malware delivery has also been observed. In July, Proofpoint found a German-language campaign that used Lovable to host a fake download site, ultimately tricking victims into installing malicious software.
Lovable, which was also flagged by Guardio earlier this year, says it is responding. The company confirmed that it matched Proofpoint’s findings with malicious activity its own team had discovered.
“In July 2025, Lovable introduced both real-time detections to prevent creation of malicious websites as users prompt the tool, and automated daily scanning of published projects to flag potentially fraudulent projects,” the company said as reported by Proofpoint. Additional protections to detect fake accounts are planned for later this year.
Proofpoint concludes that while AI tools like Lovable can help legitimate users build websites, their misuse highlights how AI “can significantly lower the barrier to entry for cybercriminals.”
Previous Story
Latest articles 
