Light bulb Limited Spots Available: Secure Your Lifetime Subscription on Gumroad!

Apr 28, 2026 · 5 min read

Hackers Got Robinhood to Send Phishing Emails for Them—Every Spam Filter Waved Them Through

A flaw in Robinhood's account creation let attackers inject phishing content into the company's own emails, bypassing SPF, DKIM, and DMARC.

Smartphone displaying an email inbox with a deceptive notification that appears legitimate

Phishing From a Verified Sender

On Sunday evening, April 26, Robinhood users started receiving emails from noreply@robinhood.com warning about suspicious login activity. The emails carried Robinhood's verified logo, passed every email authentication check, and landed in primary inboxes. They were also phishing attacks.

Attackers discovered they could abuse Robinhood's account creation process to inject malicious content into the company's own email system. The result: phishing messages delivered through Robinhood's legitimate infrastructure, invisible to every spam filter designed to stop exactly this kind of attack.

The Gmail Dot Trick

The technique exploited two separate weaknesses in sequence. First, attackers created new Robinhood accounts using variations of victims' Gmail addresses. Gmail treats dotted versions of an address as identical: j.ohn.doe@gmail.com delivers to the same inbox as johndoe@gmail.com. This is a well known quirk of Gmail, and attackers have been exploiting it for years to create duplicate accounts on services that treat each variation as a unique email.

When Robinhood sent a login notification to the newly created account, the email arrived in the real user's inbox because Gmail routed both the dotted and undotted addresses to the same mailbox.

Injecting HTML Into Trusted Emails

The second part of the attack was more creative. During account creation, attackers injected malicious HTML into the device name field. Robinhood's system did not sanitize this input. When the platform generated its standard login notification email, it included the device name, which now contained a phishing link and fraudulent warning message, rendered as formatted HTML inside an otherwise legitimate email.

The injected content warned users that unusual activity had been detected on their account. A "Review Activity Now" button linked to a domain controlled by the attackers, designed to look like a Robinhood security review page.

Why Every Security Check Failed

This attack bypassed every standard email security protection because the emails were genuinely sent by Robinhood.

  • SPF (Sender Policy Framework) verified that the sending server was authorized to send email for robinhood.com.
  • DKIM (DomainKeys Identified Mail) confirmed the email content had not been tampered with in transit.
  • DMARC (Domain based Message Authentication) confirmed both SPF and DKIM aligned with the sending domain.

Gmail's BIMI (Brand Indicators for Message Identification) displayed Robinhood's verified green logo next to the email. To the recipient, and to every automated security tool, these messages were indistinguishable from real Robinhood communications.

The Crypto Wallet Theft

The fake security review page asked users to verify their identity and share information about their cryptocurrency wallet balances. The final step directed victims to create a new Robinhood crypto wallet and transfer their holdings to it, effectively handing their funds to the attackers.

Ripple's former CTO David Schwartz was among the first to publicly flag the campaign, warning his followers on social media that the emails were fraudulent despite appearing completely authentic. Robinhood confirmed the incident on April 27, stating it was "not a breach of our systems or customer accounts" but rather "an abuse of the account creation flow." The company removed the exploited device name field from notification emails.

Robinhood did not disclose how many users received the phishing emails or whether any users lost funds.

A Pattern That Keeps Repeating

This is not the first time attackers have weaponized a company's own email infrastructure. Earlier this month, scammers exploited Apple's account change notifications in a similar fashion, sending phishing emails from Apple's own servers that passed every authentication check.

The fundamental problem is the same in both cases: email authentication protocols like SPF, DKIM, and DMARC verify that an email came from who it says it came from. They do not verify that the content of that email is safe. When attackers find a way to inject content into a platform's legitimate email flow, every security guarantee breaks down.

What Users Can Do

Email authentication is necessary but insufficient. These steps reduce the risk:

  • Never click links in unexpected emails, even from verified senders. Navigate directly to the company's website or app instead.
  • Enable two factor authentication on every financial account using an authenticator app, not SMS.
  • Verify urgent requests through a separate channel. If Robinhood says there is unusual activity, open the Robinhood app directly.
  • Watch for injected content that looks out of place. Phishing text inside a real email may use different formatting or unusual phrasing.

The Robinhood attack demonstrates that trust in email authentication alone is misplaced. As long as platforms accept unsanitized user input and include it in automated emails, attackers will find ways to turn companies into unwitting phishing accomplices.

Stop Email Tracking in Gmail

Spy pixels track when you open emails, where you are, and what device you use. Gblock blocks them automatically.

Try Gblock Free for 30 Days

No credit card required. Works with Chrome, Edge, Brave, and Arc.