Logo
FrontierNews.ai

How AI App Builders Like Lovable Are Becoming Tools for Deception

No-code AI app builders like Lovable have made it easier than ever to launch professional-looking websites in days, but a recent investigation reveals they're also lowering the barrier to sophisticated deception. A fake think tank called the Institute of East Asia Strategic Studies (IEASS) used Lovable to construct a convincing facade complete with fabricated employee profiles, fake credentials, and AI-generated headshots, all designed to extract sensitive information from security analysts and intelligence professionals.

What Happened With the Fake Think Tank?

The IEASS claimed to be based in Singapore and published analytical reports on Asian security issues. It approached individuals in Singapore, Taiwan, and other locations, posing as a legitimate research organization. However, when The Straits Times investigated, the deception unraveled quickly. The think tank had no official registration in Singapore despite claiming to have been founded there in 2019, and its listed office at Millenia Walk shopping mall did not exist.

Of the 12 people listed as employees on the IEASS website, only three maintained public LinkedIn profiles. Those three accounts contained telltale signs of AI generation. Two profiles, under the names Travis Walker and Viga Oborski, featured profile pictures with visual artifacts commonly associated with AI-generated images, including unnatural details around glasses and ears. When checked against facial-recognition search engines, neither face appeared anywhere else on the internet.

The organization's recruitment strategy was equally suspicious. Before removing its contact information, IEASS had posted job openings for a remote geopolitical consultant and a recruitment specialist specifically tasked with contacting experts and scholars via LinkedIn. These positions were later replaced with a listing for a remote research contributor focused primarily on Taiwan research.

How Did Lovable Enable This Deception?

According to Max Lesser, a senior analyst on emerging threats at the Center on Cyber and Technology Innovation at the Foundation for Defense of Democracies, IEASS was not operating alone. Lesser's investigation found that IEASS shared nearly identical website infrastructure with two other suspicious organizations: Sentinel Global Affairs and Strategy (SGAS) and East Asia Strategic Insights (EASI). All three sites were built using Lovable, an AI platform designed to let non-technical founders create apps and websites without writing code.

The three organizations were registered between March and May 2026, suggesting they were part of a coordinated network. EASI also claimed to be Singapore-based, while SGAS listed Paris, France as its headquarters, though neither provided specific addresses. EASI's homepage even falsely claimed that its analysts had been quoted by major news outlets including Reuters, the Financial Times, Nikkei Asia, and The Straits Times, though no such quotes could be verified.

Why This Matters for Security and Trust

The incident highlights a critical vulnerability in how easily legitimate-looking institutions can now be fabricated. Muhammad Faizal Abdul Rahman, a research fellow at the S. Rajaratnam School of International Studies in Singapore, explained that choosing Singapore as a base was a deliberate strategy. "Singapore's security research community is small and close-knit," he noted, adding that IEASS leveraged the Republic's standing to present itself as a reputable institution.

"Whether they are from any particular country's intelligence service, I would say it is very hard to say concretely. There are signs, but there is no way to say for sure. The major powers, in particular, or any other countries that are geopolitical rivals, are all doing this," stated Muhammad Faizal Abdul Rahman.

Muhammad Faizal Abdul Rahman, Research Fellow at the S. Rajaratnam School of International Studies

One NATO employee was directly contacted by someone identifying himself as Walker, who suggested "strictly professional exchanges in your personal capacity" and offered to commission analytical briefs for "competitive professional fees." The approach was designed to appear legitimate while subtly encouraging off-the-record conversations.

Steps Organizations Can Take to Verify Legitimacy

  • Check official registrations: Verify that think tanks and research organizations are registered with relevant government bodies and have publicly listed office addresses that can be independently confirmed.
  • Validate employee credentials: Cross-reference employee profiles against university alumni databases, professional licensing boards, and public employment records to confirm claimed educational backgrounds and work history.
  • Examine website infrastructure: Investigate the technical details of suspicious websites, including domain registration dates, hosting providers, and whether the site was built using no-code platforms that might indicate rapid, low-cost creation.
  • Use facial recognition tools: Run profile pictures through facial-recognition search engines to determine whether the images appear elsewhere on the internet or show signs of AI generation.
  • Verify publication claims: When organizations cite media mentions, directly contact those publications to confirm whether the quotes or attributions actually appeared in their reporting.

The broader concern is that no-code AI builders like Lovable have democratized website creation in ways that benefit legitimate entrepreneurs but also lower barriers for sophisticated social engineering. These platforms make it possible to launch a professional-looking organization in days without technical expertise or significant investment.

The IEASS case is not entirely new in its tactics. As Faizal noted, the modus operandi of purported think tanks and geopolitical consultancies using false personas has existed for years. What has changed is the speed and ease with which such operations can now be executed. AI-generated profiles, combined with no-code website builders, compress what once required significant resources and technical skill into a weekend project.

By July 15, all four LinkedIn accounts associated with IEASS had been deleted, and the organization had removed its contact details from its website, including a phone number with a United Kingdom country code prefix. The general email address was found to be invalid, with only the human resources department email remaining functional.

For security analysts, intelligence professionals, and anyone working in sensitive fields, the lesson is clear: the appearance of legitimacy is no longer a reliable indicator of authenticity. Verification now requires active investigation of registration records, credential validation, and technical analysis of how an organization's digital presence was constructed.