AI’s Dark Side: How a New Website Builder Is Fueling a Surge in Cybercrime

Artificial intelligence is lowering the barrier to cybercrime. According to a new report by Proofpoint, threat actors are increasingly exploiting AI-powered website builders to create convincing phishing, fraud, and malware delivery platforms at scale.

The report highlights how attackers have turned to the AI platform Lovable, originally designed as a user-friendly website generator. Proofpoint explains, “Cybercriminals are increasingly using an AI-generated website builder called Lovable to create and host credential phishing, malware, and fraud websites.”

With just a few prompts, even novice threat actors can generate functioning phishing sites, complete with CAPTCHAs, redirects, and credential harvesting forms. “The barrier to entry for cybercriminals has never been lower,” researchers warn.

Proofpoint identified tens of thousands of malicious Lovable URLs each month since February 2025. The abuse spans multiple categories:

1. Tycoon MFA Phishing Campaigns

In February 2025, Proofpoint uncovered a mass campaign impacting over 5,000 organizations. Emails contained lovable[.]app URLs that led to CAPTCHAs, which then redirected to counterfeit Microsoft authentication portals. The sites leveraged the Tycoon Phishing-as-a-Service (PhaaS) platform, harvesting credentials, MFA tokens, and session cookies.

As Proofpoint describes, “The page presented the user’s organization Azure Active Directory (AAD) or Okta Branding and was designed to harvest user credentials, multifactor authentication (MFA) tokens, and retrieve associated session cookies.”

2. Fake Shipping and Payment Scams

In June 2025, a campaign impersonated UPS, distributing nearly 3,500 phishing emails. These Lovable-built sites harvested personal data, credit card details, and SMS authentication codes—then exfiltrated the data directly to Telegram.

“The website impersonated UPS … and then posted the stolen details to a Telegram channel. This malicious website is based on the ‘ups-flow-harvester’ project on Lovable.”

3. Cryptocurrency Drainers

Another campaign targeted users of the DeFi platform Aave, reaching almost 10,000 recipients. Emails delivered via SendGrid redirected to Lovable-built phishing sites designed to trick victims into connecting their crypto wallets. “The likely goal was to steal assets from any wallet that is connected,” Proofpoint noted.

4. Malware Delivery Campaigns

In late July 2025, German-language phishing emails distributed DOILoader and zgRAT via Lovable sites. Attackers used Cookie Reloaded URLs to redirect victims to AI-generated download pages masquerading as invoice portals. The download chain ultimately installed malware through DLL sideloading.

Proofpoint reported its findings to Lovable, which acknowledged overlap with phishing clusters already flagged by its Trust and Safety team. In response, Lovable introduced new safeguards: “In July 2025, Lovable introduced both real-time detections to prevent creation of malicious websites as users prompt the tool, and automated daily scanning of published projects to flag potentially fraudulent projects.”

Additional protections are expected later in 2025, focusing on account-level fraud detection and malicious user blocking.

Proofpoint emphasizes that “some AI tools can significantly lower the barrier to entry for cybercriminals … With automatic web creation tools, threat actors can spend more time on the attack chain and tooling capabilities and incorporate AI generated social engineering into their toolkit.”

Related Posts:

• CVE-2025-48757: Lovable’s Row-Level Security Breakdown Exposes Sensitive Data Across Hundreds of Projects
• New PayPal Scam Tricks Users with Convincing Ads and Pages
• Over 18,000 Devices Compromised in XWorm RAT Builder Campaign
• Critical Kubernetes Image Builder Flaw: Default Credentials Grant Root Access to Windows Nodes
• WordPress.com Launches AI Website Builder for Easy Site Creation