Recommendation

Caution

Overall Summary

Suspicious

Why we think so

Quick take: lovable.dev is a high‑traffic AI app builder (tens of millions of monthly visits) with a verified company presence in Stockholm and recent high‑profile press coverage. ⚠️ At the same time, multiple security researchers and news outlets document large‑scale abuse of the platform — criminals have used Lovable to spin up phishing pages that steal credentials and drain crypto wallets. The site itself is not flagged by Google Safe Browsing and shows standard security/verification records, but the abuse risk means you should treat any site built on this platform cautiously and verify the destination before entering credentials or payments.

Confidence Score

78%

Risk Insights

⚠️

High scale, real company — but abused for phishing

Lovable.dev shows real company signals: funding coverage, Google Places listing, and strong web traffic (~21M/month).

Security researchers and Proofpoint documented thousands of malicious URLs built on the platform.

Treat pages hosted on this platform like third‑party content; verify origin before trusting credentials or payments.

Contradictory Signals

The main domain and official site are technically legitimate, but many malicious subdomains/sites hosted via the platform are malicious — so a clean Safe Browsing check does not eliminate risk.

Signal A: No Google Safe Browsing flags and strong DNS/SSL records

Signal B: Multiple security reports documenting large‑scale abuse of the platform to host phishing and wallet‑draining pages

Category Scores

Identity 80/100

Reputation 55/100

Technical 85/100

Content 75/100

Legal 60/100

Business Validity 85/100

Red Flags & Warnings

Security researchers report widespread abuse: Lovable has been used to create phishing and crypto‑draining pages at scale.
User complaints about lost credits, disappearing projects, and platform glitches that can cause indirect financial harm to customers.
Public legal disputes with established vendors (Figma cease‑and‑desist) increase operational risk and regulatory scrutiny.

🔎 Detailed Checks & Analysis

Domain tech & infrastructure (similartech_v1)

Score: 85/100

Passed

"Presence of Stripe verification and multiple google-site-verification TXT records indicates a maintained production site with payment and verification integrations."

Reason: Modern stack detected (Cloudflare, AWS, Stripe, Google Analytics), HTTPS present and multiple verification TXT records.

Traffic volume & engagement (similar_web_api_v1)

Score: 88/100

Passed

"High engagement and traffic rank (~2,500 globally) are strong trust signals for platform scale."

Reason: SimilarWeb reports ~21M monthly visits, strong pages/visit and time on site indicating widespread legitimate usage.

Traffic stats / competitor data (website_traffic_stats_v1)

Score: 30/100

Failed

"One source lacked data; use SimilarWeb/SimilarTech for the traffic picture instead."

Reason: Requested traffic dataset returned no data, leaving a visibility gap for some analytics.

Contact details & social presence (website_contacts_scraper_v1)

Score: 80/100

Passed

"No public phone number found in scraped contacts, but emails and social links are consistent with a SaaS vendor."

Reason: Published support and sales emails plus multiple social profiles (Twitter, LinkedIn, Instagram, Facebook) provide clear contact paths.

WHOIS / DNS / SSL checks (whois_dns_ssl_v1)

Score: 85/100

Passed

"Certificate validity window and DNS setup are normal for a production SaaS site; TTLs and NS records point to Cloudflare protection."

Reason: Valid SSL certificate, Cloudflare nameservers, SPF/MX records and verification TXT records observed.

Trademark search (uspto_trademark_search_v1)

Score: 70/100

Passed

"Absence from USPTO registry does not prevent private cease‑and‑desist actions; monitor for ongoing filings."

Reason: No direct USPTO trademark matches for the queried term, but public brand disputes (Figma) exist in press.

Crypto scam blacklist (crypto_scam_sniffer_v1)

Score: 75/100

Passed

"Platform has been used to host crypto‑draining scam pages, but the domain itself is not currently listed on this blacklist."

Reason: Domain not found on the supplied crypto scam blacklist.

Google Safe Browsing (google_safe_browsing_v1)

Score: 78/100

Passed

"Safe Browsing not flagging the domain is useful, but it does not prevent malicious subdomains or hosted pages from being abused."

Reason: No matched threats in the provided Safe Browsing results.

Maps listing & reviews (google_places_v1)

Score: 80/100

Passed

"A verified place listing is a meaningful identity signal for company legitimacy."

Reason: Google Places shows a physical address in Stockholm with a 4.3 rating and ~239 reviews.

News & security reporting (google_news_v1 / perplexity_questions_v1)

Score: 40/100

Failed

"High‑visibility funding and press (TechCrunch) coexist with security research documenting large‑scale malicious use of the platform."

Reason: Multiple articles detail both rapid growth/funding and security abuse; the abuse reports are material and lower overall trust.

Your Next Steps

1

When you encounter a site claiming to be a known brand, verify the URL carefully (look for exact domain, certificate details, and official vendor links) before entering credentials or connecting wallets.
2

Avoid entering payment or wallet keys on pages you did not reach from an official vendor domain; prefer bookmarked or search‑verified links.
3

If you see a suspicious site hosted on lovable.dev, report it to Lovable (support@lovable.dev) and to Google Safe Browsing; collect screenshots and the exact URL.
4

For businesses: monitor for impersonations, register key trademarks, and set up automated takedown/monitoring (proofing WHOIS, brand alerts, and abuse reporting contacts).
5

If you purchased credits and lost access or funds, contact support@lovable.dev and your payment provider immediately and file a report with local law enforcement if financial theft occurred.

Evidence & Citations

Lovable becomes a unicorn with $200M Series A just 8 months after launch
Major press coverage and funding announcement showing business traction.
Lovable AI Found Most Vulnerable to VibeScamming — Enabling Anyone to Build Live Scam Pages
Security researcher findings describing platform abuse for phishing.
SimilarWeb domain analytics for lovable.dev (visits, rank, engagement)
Traffic metrics: ~21M visits and engagement stats used to assess scale.
WHOIS / DNS / SSL records for lovable.dev
Observed HTTPS certificate, Cloudflare nameservers, SPF/MX entries and Stripe verification TXT records.
Google Places listing: Lovable — Tunnelgatan 5, Stockholm
Physical listing with rating and location — supports a verifiable company presence.
Security reporting and investigations summarised (research & user complaints)
Examples of phishing campaigns and Proofpoint analysis referenced in aggregated search results.

🕵🏻 Keep investigating

Recommended →

🌐 Scan another website

Run another instant due diligence scan on any website URL. Verify before you trust!

Spot fake SaaS login pages before handing over credentials

Phishing crews spin up carbon-copy login portals for CRM and finance tools, siphoning credentials before users realize t...

Read playbook →

Analyze giveaway landing page phishing

Giveaway pages entice with consoles or flights, then harvest card data and selfies “for verification.” ScamAI checks reg...

Read playbook →