Sophisticated Phishing Emails Target Robinhood Users: How Hackers Exploited Gmail and Robinhood's Systems

Robinhood customers received highly sophisticated phishing emails over the weekend that bypassed spam filters and appeared in legitimate conversation threads. The emails, sent from [email protected], even earned Gmail’s automatic placement alongside prior security alerts from Robinhood.

By Sunday night, hackers had weaponized Robinhood’s own notification pipeline to execute the attack. Security researchers quickly analyzed the exploit, which went viral on social media. Security researcher Abdel Sabbah described the phishing campaign as “kinda beautiful” with a sinister connotation.

How the Phishing Attack Worked

To craft the attack, the hacker first exploited a Gmail feature known as the “dot trick.” Gmail ignores dots in the address before the @ symbol, so variations like [email protected], [email protected], and [email protected] all route to the same inbox. Unlike Gmail, Robinhood does not normalize these dotted variants, allowing the attacker to register a Robinhood account using a dotted version of a legitimate customer’s email address.

Next, the attacker set the device name on the new account to a block of raw HTML. When Robinhood’s “unrecognized activity” email template generated an alert, it inserted the device name without sanitizing the HTML, rendering the malicious code. The result was an email that appeared legitimate, with:

• Passing DKIM, SPF, and DMARC authentication
• A phishing call-to-action (CTA) disguised as a security alert
• A hyperlink to an attacker-controlled webpage designed to harvest login credentials and two-factor authentication codes

The ultimate goal, consistent with most phishing campaigns, was to steal customers’ money from their Robinhood accounts.

Warnings from Industry Experts

Many crypto influencers and security experts warned users about the convincing emails. David Schwartz, Ripple’s Lead Developer, amplified the warning on social media, stating:

“Any emails you get that appear to be from Robinhood (and may actually be from their email system) are phishing attempts.”

Laura Shin, a prominent crypto journalist, also shared the warning on April 27, 2026:

Stay safe out there, everyone https://t.co/EZCGyY5szP— Laura Shin (@laurashin)

Parallel Exploit Highlights Ongoing Risks

In April 2025, Ethereum Name Service Lead Developer Nick Johnson documented a nearly identical exploit involving emails that appeared to be sent from Google itself. Attackers used a similar series of tricks to send DKIM-signed phishing emails from [email protected] by exploiting Google’s infrastructure.

The lesson from both incidents is clear: beware of clicking any link in any email, no matter how authentic it appears. Traditional anti-phishing advice, such as checking sender domains and authentication failures, proved ineffective in these cases. The domain name alone cannot be trusted as a reliable indicator of legitimacy.