Cyber crooks got Robinhood to send phishing emails to its own users - Help Net Security

Zeljka Zorz, Editor-in-Chief, Help Net Security April 27, 2026 Share Cyber crooks got Robinhood to send phishing emails to its own users An email phishing campaign is currently targeting a subset of users of the Robinhood brokerage / investment platform and, judging by the comments on Reddit, some have fallen for it. What made the emails convincing The emails started hitting inboxes on Sunday, April 26, and users soon began reporting the emails to Robinhood and warning other users on Reddit and elsewhere. The phishing email (Source: David Schwartz) There was immediate speculation that Robinhood was breached or that its email infrastructure was compromised, but a repeating pattern soon pointed to the tricks used by the attackers. How the attack worked Many recipients said that the phishing email was sent to their Gmail address, but with a period in the username part of it. The fact did not go unnoticed by more security-savvy users, who posited that the attackers created new Robinhood accounts using victims’ email addresses, with a dot inserted in the username. They manipulated the device and browser information submitted during signup, injecting malicious HTML and a phishing link into the fields where normal metadata would appear. Robinhood’s system stored the data without sanitizing it and when Robinhood automatically sent a login notification email, it pulled in the poisoned metadata and rendered the malicious content inside a genuine Robinhood email. Since Gmail treats dotted variations of an address as identical, the resulting notification emails landed in real victims’ inboxes. And because the emails were sent through Robinhood’s own servers, they bypassed standard spam filters and authenticity checks that would typically flag phishing attempts. The emails passed authentication checks (Source: Abdel Sabbah) What the phishing page asked for To victims, the emails were indistinguishable from legitimate Robinhood communications: the emails were sent from Robinhood’s domain, passed the SPF/DKIM/DMARC checks, and displayed the company’s logo (thanks to Gmail’s support for BIMI). All the links in the email were legitimate, apart from the one behind the “Review Activity Now” button. That one ultimately pointed (through redirections) to robinhood[dot]casevaultreview[dot]com/verify, a page that claims that unusual activity has been identified on the user’s account and their “access and linked wallets may be compromised”. The user is urged to verify their identity and go through a security review, which includes confirming their email address and sharing information about their crypto wallet balance. In the end, the user is asked to create a Robinhood crypto wallet and transfer their crypto funds to it. Robinhood’s response The Robinhood team confirmed that some customers received a falsified email from noreply@robinhood.com with the subject line “Your recent login to Robinhood” on Sunday evening. “This phishing attempt was made possible by an abuse of the account creation flow. It was not a breach of our systems or customer accounts, and personal information and funds were not impacted,” the company stated. That may be true from Robinhood’s end, but users who followed the phishing link and transferred funds to an attacker-controlled wallet might disagree. Users who clicked on the suspicious link and followed the instructions outlined by the phishing page are urged to contact the company’s support team. Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here! More about cryptocurrency DMARC Gmail spear-phishing Share