cointelegraph.com
Robinhood users are being warned about a new phishing attack that takes advantage of Gmail’s native “dot alias” feature and flaws in Robinhood’s account creation process to send malicious emails.
Robinhood users on Sunday began reporting on social media of emails originating from the platform's mail server warning of an unrecognized device login, which linked to phishing websites in the "call to action" button.
Source: David Gobaud
Alex Eckelberry, a cybersecurity researcher and tech CEO, said the phishing campaign wasn’t the result of a hack but instead exploited a native Gmail characteristic that ignores dots in an email address, as well as a “couple of terrible holes” in Robinhood’s account setup.
It comes after blockchain security company Hacken reported earlier this month that phishing and social engineering attacks dominated crypto attacks in the first quarter of 2026, accounting for $306 million in losses.
Source: Alex Eckelberry
Hackers created fake Robinhood accounts
Eckelberry said the scam relied on fraudsters creating an account on Robinhood with an email closely mimicking their target’s email address.
For example, a Robinhood user could have an email address such as "jane.smith@gmail.com.” The scammer would create a new Robinhood account with an email without the dot in the middle, such as "janesmith@gmail.com.”
While Robinhood would treat them as completely separate accounts, Gmail ignores dots in the username part of an email address. This means scammers could prompt Robinhood to automatically send emails intended for their fake account, but have them arrive in their target’s inbox instead.
To get a phishing link into the automated email sent when a new Robinhood account is created, the scammers would then add HTML instructions to the optional “device name” field on Robinhood, which Gmail treats as formatting instructions.
Source: Abdel
“The result is a real email from "noreply@robinhood.com" that passes SPF, DKIM, and DMARC. It looks completely legitimate but now contains injected fake warning text and a working phishing button. Clicking the button leads to a fake login site,” Eckelberry said.
The email is only dangerous if information is added
Visiting the fake login website alone isn’t enough for hackers to gain access to an account, Eckelberry said, but entering sensitive information such as passwords could allow bad actors to do so.
Robinhood’s support account on X posted a statement on Monday confirming that some users received a falsified email from "noreply@robinhood.com" with the subject line “Your recent login to Robinhood” and blamed the issue on an exploit of the “account creation flow.”
“This phishing attempt was made possible by an abuse of the account creation flow. It was not a breach of our systems or customer accounts, and personal information and funds were not impacted,” they said.
“If you received this email, please delete it and do not click any suspicious links. If you have clicked a suspicious link or have any questions about your account, please contact us directly within the Robinhood app or website.”