Read this before you click on any Robinhood email

Robinhood customers received some particularly convincing phishing emails this weekend. The messages, which appeared to come directly from the company, featured authenticated headers, were correctly signed, included a genuine sender’s address, were sent from an authentic email server, and weren’t caught by spam filters.

Worse, the email from [email protected] even earned Gmail’s automatic route into the same conversation threads as legitimate, prior security alerts from Robinhood.

The only fraudulent things about the email were obscure technical irregularities and its contents, a phishing call-to-action seeking login information.

By Sunday night, hackers used Robinhood’s own notification pipeline to render their assault.

Analysis of the exploit went viral on social media soon after.

Robinhood phishing emails were ‘kinda beautiful’

Security researcher Abdel Sabbah posted an analysis of the event, calling it “kinda beautiful” with a sinister connotation. Unfortunately, he was right.

To craft the attack, the hacker first utilized a Gmail “dot trick,” a well-known Google feature whereby Gmail routes [email protected], [email protected], and [email protected] to the same inbox.

Gmail, unlike the rest of the internet, ignores dots in the part of the address before the @ symbol, so all of those variants deliver to the same inbox.

Because Robinhood, unlike Gmail, doesn’t normalize the dotted variants, an attacker used a “dot” modified version of Robinhood’s legitimate customer emails.

Next, the attacker set the device name on the new account to a block of raw HTML. When Robinhood’s “unrecognized activity” email is generated, the template inserts that device name without sanitizing it, rendering the nefarious HTML.

The result, in Sabbah’s words, is what appeared to be “a real email from [email protected], DKIM pass, SPF pass, DMARC pass, with a phishing CTA.”

That CTA or “call to action,” of course, is a fake security alert email with a hyperlink to an attacker-controlled webpage that harvests login credentials and two-factor authentication codes.

The ultimate goal, like almost all phishing campaigns, was to steal customer’s money — in this case, from their Robinhood account.

Think before you click on any email

Many crypto influencers warned people about the convincing emails.

Ripple’s David Schwartz amplified the warning. “Any emails you get that appear to be from Robinhood (and may actually be from their email system) are phishing attempts,” he posted. Quoting Sabbah’s thread, Schwartz added, “It’s quite sneaky.”

In April 2025, Ethereum Name Service Lead Developer Nick Johnson documented an almost identical exploit involving emails that appeared to send from Google itself.

Attackers used a similar series of tricks to use Google’s own infrastructure to deliver DKIM-signed phishing emails from [email protected].

The lesson then is the lesson now: beware of clicking any link in any email, no matter how authentic it appears.

Traditional anti-phishing advice tells users to check the sender domain and look for authentication failures. None of that helped here. The domain appeared real. The signatures appeared real. Only the intent was criminal.

Robinhood’s own scam guidance tells customers to verify the sender’s email domain and lists @robinhood.com as the authentic example.

Protos reached out to Robinhood for comment but didn’t receive a reply prior to publication time. In Nasdaq trading today, the common stock of Robinhood opened flat for trading relative to Friday’s closing print.