In the early hours of last weekend, dozens of Robinhood customers opened their inboxes to find what looked like a routine security alert from the popular trading app.
The email came from noreply@robinhood.com. It carried all the right branding, passed every standard authentication check, and warned of unrecognized activity on their accounts. A prominent “Review Activity Now” button sat ready to click.
For many, it felt official enough to act on. What they didn’t realize was that Robinhood’s own systems had delivered the phishing link straight to them.
This wasn’t a traditional spoofed email or a clever domain trick. It was something more insidious: attackers turned Robinhood’s legitimate notification process against its users by exploiting a combination of Gmail’s long-known email alias quirks and a dangerous gap in how the platform handles user input during account creation.
The result has left security researchers calling it one of the more elegant attacks seen in recent months—a living-off-the-land campaign that required no breach of Robinhood’s core systems, yet still managed to bypass spam filters and user skepticism alike.
How was the attack carried out?
Attackers exploited two well-known but rarely combined weaknesses. First, Gmail’s “dot alias” feature treats addresses like john.doe@gmail.com and johndoe@gmail.com as identical.
Scammers registered new Robinhood accounts using dotted versions of victims’ real email addresses. Robinhood does not normalize these variants the same way Gmail does, allowing the emails to land in the target’s inbox.
During signup, attackers inserted raw HTML code into the optional “device name” field. Robinhood’s system then pulled this unsanitized input directly into its automated “unrecognized activity” or “recent login” notification templates. The injected HTML rendered as a convincing “Review Activity Now” button linking to a fake login page designed to steal credentials and two-factor codes.
Because the messages originated from Robinhood’s legitimate noreply@robinhood.com domain and passed SPF, DKIM, and DMARC checks, they bypassed most email filters and user suspicion.
It’s not that Robinhood’s email servers were hacked, “but they have a couple of terrible holes in their account setup,” said a user.
Discovery and Robinhood’s response
Cybersecurity researchers and users on X flagged the campaign over the weekend, with detailed breakdowns showing side-by-side comparisons of the forged emails.
Robinhood confirmed the issue stemmed from abuse of its account creation flow, not a breach of its systems or customer data. Luckily, no funds or personal information were reported stolen in the initial wave.
The company advised affected users to delete the emails immediately and avoid clicking any links. Robinhood has not yet detailed specific fixes but is expected to implement input sanitization for email templates.
This attack stands out for its elegance. Traditional phishing relies on spoofed domains or obvious red flags. Here, the email is genuinely from Robinhood—just tainted at the source. It highlights ongoing challenges in handling user-controlled data in automated communications, especially for financial platforms where trust is paramount.
Security experts note that similar flaws exist elsewhere. Many such platforms often fail to escape HTML in notification fields, and Gmail’s alias behavior has been a known vector for years. The timing, just ahead of Robinhood’s Q1 2026 earnings, added extra scrutiny.
Among many leaders, Ripple CTO David ‘JoelKatz’ Schwartz also flagged the issue on X, noting, “Any emails you get that appear to be from Robinhood (and may actually be from their email system) are phishing attempts.”
While Robinhood users dodged widespread compromise this time, the incident serves as a reminder that even authenticated emails can carry risks. Financial apps remain prime targets, and attackers continue refining methods that exploit trust rather than break it outright.
Also read: Fake Arthur Hayes Email Targets Fans with Crypto Trading Scam
