- Highly convincing phishing emails were sent to Robinhood customers this weekend, appearing to come directly from the company.
- The attack exploited a Gmail “dot trick” and a vulnerability in Robinhood’s email template to render malicious HTML content.
- The fraudulent messages had authenticated headers, passed security checks, and were integrated into legitimate email threads.
- Security researchers and crypto influencers warned users not to click any links, even from seemingly authentic sources.
Over the weekend, Robinhood customers were targeted by an exceptionally sophisticated phishing attack. The fraudulent emails appeared completely genuine, featuring correct authentication and the legitimate sender address [email protected].
Consequently, the messages bypassed spam filters and were even grouped by Gmail with prior legitimate security alerts from the company. Security researcher Abdel Sabbah analyzed the exploit, calling it “kinda beautiful” in a sinister way. He detailed how attackers crafted the assault by first using a Gmail feature that ignores dots in email addresses.
The Hackers then created a new account using a dotted variant of a real Robinhood customer’s email. They set the device name on this account to a block of raw HTML code. When Robinhood’s system generated an “unrecognized activity” notification email, it inserted this device name without sanitizing it, rendering the malicious content.
The result was a phishing email with a valid DKIM signature and SPF record. Its call-to-action link directed users to a fake login page designed to harvest credentials and two-factor codes. Many crypto influencers, including Ripple’s David Schwartz, quickly amplified warnings about the convincing scam.
Schwartz posted that any emails appearing to be from Robinhood should be treated as phishing attempts. This incident mirrors a similar exploit documented in April 2025 involving emails that appeared to send from Google itself.
The key lesson is that traditional advice to check sender domains and authentication is insufficient. Robinhood’s own guidance lists @robinhood.com as authentic, which the attackers successfully mimified. Users must therefore beware of clicking any link in any email, regardless of its appearance.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
