The emails passed domain authentication checks because they appeared to be sent through Robinhood’s actual email infrastructure.
David Schwartz, Ripple’s chief technology officer, posted a warning on X, telling users that a phishing campaign has sent fraudulent security alerts that appear to come from Robinhood’s email infrastructure.
Robinhood has since confirmed the incident, attributing it to abuse of its account creation flow rather than any breach of its systems.
What a phishing email looks like and how it went through
According to Schwartz, the fake email, whose subject line was “Your last Robinhood login,” He claimed That there was an unknown login attempt on the “iPhone 17 Pro” at a specific time and that the account phone number ending in “87” will be updated soon.
There’s a “Review activity now” button at the bottom, along with a warning that once changes are confirmed, they cannot be reversed, which is standard panic-inducing language, designed to make people click before they think.
Schwartz He said He wasn’t sure of the exact mechanisms but believed, based on a quick look, that the emails “were somehow fed into Robinhood’s actual email infrastructure at some point.”
This is important because the filters used by most email providers check to see if the message actually came from the domain it says it did. If the sending path looked real, those checks would pass, and so the scam arrived in Schwartz’s inbox looking exactly like the original article.
Robinhood support account later certain “Some customers received a fake email from noreply@robinhood.com,” he said, adding that the attack exploited its account creation flow and no systems were compromised, no personal information was exposed, and no funds were compromised.
You may also like:
The company’s guidance to customers was to delete the email, not click on anything, and to contact Robinhood through the app if they were concerned.
A pattern that keeps repeating
Reaction to X came quickly, with one user wondering how a company the size of Robinhood could compromise its official email at all, while another, Demosthenes, asked, male Fraudulent emails tend to proliferate during unstable market periods.
The creator of Web3 Dpac claimed they did receive A similar phishing email two days earlier from attackers impersonating XRP Cafe flagged a separate wave running through X itself, with hijacked accounts sending malicious links via direct messages and multiple reports of wallet draining.
None of this is happening in isolation, with Ledger users coming in January He hits With phishing emails after a data breach at third-party e-commerce partner Global-e exposed their contacts and order details. The scammers then sent fake integration notices asking them to enter wallet recovery phrases on a fake website.
Furthermore, a February report by Scam Sniffer stated that phishing losses have occurred He went up down 207% compared to December, costing victims $6.27 million in 4,741 cases as attackers used wallet poisoning and fraudulent consents to trick users into signing to deny access to funds.
The following month, the F.B.I to caution Tron users report fake tokens impersonating the agency and directing people towards a site designed to collect wallet credentials.
Free Binance $600 (CryptoPotato Exclusive): Use this link To register a new account and get an exclusive welcome offer of $600 on Binance (Full details).
Limited offer for Bybit’s CryptoPotato readers: Use this link To register and open a free position worth $500 on any currency!
