How Fake Login Alerts Reached Real Inbox And Looked Legitimate
A phishing campaign targeting users of Robinhood has surfaced after attackers managed to send convincing login alert emails that appeared to come directly from the platform’s official system.
The emails warned of unrecognised device activity and pushed recipients to click a “Review Activity Now” button, which redirected them to fraudulent login pages designed to steal account credentials.
What made the attack particularly deceptive was that the messages passed standard email authentication checks and landed in inboxes as if they were genuine security alerts.
Reports first emerged on social platforms as users began sharing screenshots and questioning whether Robinhood itself had been compromised.
Gmail Dot Alias Behaviour Used To Mirror Victims Email Addresses
Security researchers say the campaign did not stem from a direct breach of Robinhood’s infrastructure, but from a combination of email behaviour and weaknesses in the account creation process.
Gmail treats email addresses with dots in the username as identical, meaning “[[email protected]](mailto:[email protected])” and “[[email protected]](mailto:[email protected])” are delivered to the same inbox.
Attackers exploited this by registering Robinhood accounts using near-identical variations of victims’ email addresses.
While the brokerage system treated them as separate users, Gmail still routed the messages to the real target.
This allowed fraudsters to trigger automated security emails from Robinhood’s systems that ultimately landed in the victim’s inbox.
Hidden Code Injected Through Account Setup Fields How Did It Bypass Filters
Cybersecurity researcher and tech CEO Alex Eckelberry said the operation relied on “a couple of terrible holes” in the onboarding flow.
Attackers reportedly inserted HTML-based instructions into optional fields such as “device name” during account creation. These fields were not properly sanitised, allowing malicious content to be embedded into automated email templates.
Because the messages were generated through Robinhood’s own email servers, they successfully passed SPF, DKIM and DMARC checks, which are normally used to verify authenticity.
Eckelberry explained,
“The result is a real email from ‘[[email protected]](mailto:[email protected])’ that passes SPF, DKIM, and DMARC. It looks completely legitimate but now contains injected fake warning text and a working phishing button. Clicking the button leads to a fake login site.”
Why The Emails Were Hard To Distinguish From Real Alerts
The fraudulent emails closely replicated official security notifications, including Robinhood branding and login activity summaries such as device type and access time.
Because the emails originated through legitimate infrastructure, standard spam filters were far less likely to flag them as suspicious.
One variation of the scam redirected users to a fake domain resembling a security verification page, where victims were asked to confirm account details and crypto wallet information.
Some instructions even prompted users to transfer funds into newly created wallets controlled by attackers.
Crypto Industry Losses Highlight Growing Social Engineering Threat
Security firm Hacken reported that phishing and social engineering accounted for around $306 million in losses during the first quarter of 2026 alone, showing how persistent and costly these tactics have become across the crypto sector.
The Robinhood incident fits into this wider pattern, where attackers increasingly rely on manipulating user trust rather than breaking encryption or core infrastructure.
Experts Warn Of Email Trust Exploits Rather Than System Breaches
Ripple CTO Emeritus David Schwartz also flagged the campaign, warning users that even emails appearing to originate from official systems may still be malicious.
“WARNING: Any emails you get that appear to be from Robinhood (and may actually be from their email system) are phishing attempts.”
He noted that the emails displayed realistic login details, device information and security prompts, making them difficult to question at first glance.
Security analyst Abdel Sabbah from Cubby Law explained that attackers combined Gmail address manipulation with injected HTML in account setup fields, allowing the phishing content to be rendered inside authentic-looking alerts.
Robinhood Response Says No System Breach Occurred
Robinhood confirmed that some users received falsified emails with the subject line “Your recent login to Robinhood” and said the issue stemmed from abuse of the account creation process.
The company stated,
“This phishing attempt was made possible by an abuse of the account creation flow. It was not a breach of our systems or customer accounts, and personal information and funds were not impacted.”
Users who receive similar messages are advised to delete them, avoid clicking links, and verify any account activity directly through the official app or website rather than email prompts.
Miyuki
Joy
Alex
Weiliang
Brian