Scammers used Gmail dot alias and Robinhood flaw to send phishing
Attackers created Robinhood accounts using dotless Gmail aliases and injected HTML into the device-name field, causing authentic [email protected] emails to carry phishing links.
Robinhood customers began reporting on Sunday that they had received automated emails warning of an unrecognized device login. The messages originated from [email protected] and included buttons that directed recipients to counterfeit login pages.
Robinhood’s support account on X confirmed on Monday that some users received falsified messages and attributed the incident to “an abuse of the account creation flow.” The company stated the event was not a breach of its systems, that personal information and funds were not impacted, and advised users to delete the email and not click on any links. The company asked anyone with concerns to contact support through the Robinhood app or website.
Cybersecurity researcher and tech CEO Alex Eckelberry outlined how the campaign worked. Attackers registered new Robinhood accounts using email addresses that mimic a target’s Gmail address but omit dots in the local part. For example, a scammer could create [email protected] to impersonate [email protected]. Robinhood treated those as separate accounts while Gmail ignores dots and delivers mail for both forms to the same inbox.
To place a phishing link inside an automated message, attackers inserted HTML into Robinhood’s optional device-name field during signup. Gmail interpreted that input as formatting and rendered the injected content inside a genuine email sent from Robinhood’s mail server. Because the messages originated from Robinhood’s servers, they passed SPF, DKIM and DMARC authentication checks and appeared legitimate.
Eckelberry wrote: “The result is a real email from ‘[email protected]’ that passes SPF, DKIM, and DMARC. It looks completely legitimate but now contains injected fake warning text and a working phishing button.” Clicking the button led to a fake login page. Visiting the counterfeit site alone does not grant attackers access; entering credentials or other sensitive information does.
Robinhood advised anyone who clicked a suspicious link to contact the company through official channels. The firm reiterated that users should delete unexpected security emails and confirm any alerts through the app or website before taking action.
The incident follows a report from blockchain security firm Hacken that phishing and social engineering accounted for $306 million in crypto-related losses in the first quarter of 2026. The campaign highlights how attackers can combine legitimate platform features and email-handling behaviors to deliver convincing phishing messages.
The material on GNcrypto is intended solely for informational use and must not be regarded as financial advice. We make every effort to keep the content accurate and current, but we cannot warrant its precision, completeness, or reliability. GNcrypto does not take responsibility for any mistakes, omissions, or financial losses resulting from reliance on this information. Any actions you take based on this content are done at your own risk. Always conduct independent research and seek guidance from a qualified specialist. For further details, please review our Terms, Privacy Policy and Disclaimers.
Articles by this author
