David Schwartz, former CTO of Ripple, has raised an alert over a targeted phishing campaign aimed at Robinhood users, warning that the emails appear highly convincing—even passing standard security checks.
Summary
Schwartz cautioned that phishing emails impersonating Robinhood are bypassing authentication systems.
Attackers are embedding malicious links within emails that look like official alerts.
The messages reportedly pass SPF, DKIM, and DMARC checks, making them appear legitimate.
According to Schwartz, the phishing emails closely resemble genuine communication from Robinhood, complete with login alerts showing device details, timestamps, and case IDs. Recipients are prompted to “Review Activity Now,” but the embedded link reportedly leads to a phishing page designed to steal login credentials.
He warned on social media that even emails appearing to come directly from Robinhood’s system should be treated with suspicion, describing the exploit as “quite sneaky.” The campaign’s ability to pass authentication checks increases the likelihood that users may trust the messages.
Exploit linked to email system manipulation
Security insights shared by researcher Abdel Sabbah suggest the attack may leverage Gmail’s “dot trick,” which allows multiple variations of the same email address. Attackers reportedly created a Robinhood account using these variations and inserted malicious HTML code into a device name field.
Because this field was not properly sanitized, the payload could be embedded into legitimate emails sent from Robinhood’s infrastructure (e.g., noreply@robinhood.com). As a result, users receive authentic-looking emails that contain hidden malicious elements.
Phishing risks persist in crypto space
Phishing attacks continue to be a major threat for crypto users. Recently, MetaMask users were targeted in a separate campaign involving fake two-factor authentication prompts. Blockchain security firm SlowMist reported that victims were redirected to fraudulent sites requesting seed phrases, allowing attackers to gain full access to funds.
These campaigns often rely on urgency tactics and subtle inconsistencies—such as unusual sender addresses or slightly altered domains—to deceive users.
Key takeaway
Even emails that pass authentication checks should not be blindly trusted. Users are advised to avoid clicking on suspicious links and instead verify account activity directly through official apps or websites.
