Ripple’s former CTO, David Schwartz, warned on X that a phishing campaign delivered fraudulent security alerts that appeared to originate from Robinhood’s own email infrastructure.
Robinhood later confirmed the incident, saying the messages resulted from abuse of its account creation flow rather than a breach of its systems.
What the Phishing Email Looked Like and How It Bypassed Defenses
Schwartz said the spoofed email used the subject line “Your most recent login to Robinhood” and claimed an unrecognized login from an “iPhone 17 Pro” at a specified time. The message also stated that an account phone number ending in “87” would be updated shortly.
The email included a prominent “Review Activity Now” button and a warning that changes could not be reversed once confirmed — a classic tactic meant to create urgency and push recipients to click before thinking.
While Schwartz was unsure of the exact method used, he noted that the messages appeared to have been injected into Robinhood’s actual email infrastructure. That distinction matters because many email filters verify whether a message genuinely originated from the domain listed in the From field. If the sending path looks legitimate, those authentication checks can pass, allowing the fraudulent message to land in inboxes looking like the real thing.
Robinhood’s support account later confirmed that “some customers received a falsified email from [email protected],” explained the attack exploited the account creation flow, and emphasized that no internal systems were breached, no personal information was exposed, and no funds were impacted.
The company advised customers to delete the email without clicking links and to contact Robinhood through the app if they had concerns.
A Recurring Pattern
Responses on X were swift. Some users questioned how a company of Robinhood’s scale could have an official-looking email compromised, while others observed that scam emails often spike during turbulent market periods.
Web3 developer Dpac reported receiving a similar phishing message two days earlier from perpetrators impersonating XRP Cafe and flagged a separate wave of attacks on X, including compromised accounts sending malicious links via direct messages and multiple reports of wallets being drained.
This incident is part of a broader trend. In January, Ledger users were targeted with phishing emails after a data breach at third-party e-commerce partner Global-e exposed customer contacts and order information. Attackers followed up with fake merger notices that urged recipients to enter wallet recovery phrases on counterfeit websites.
Scam Sniffer reported in February that phishing losses surged 207% from December, costing victims $6.27 million across 4,741 cases. Attackers increasingly used techniques such as wallet poisoning and fraudulent transaction approvals to trick users into signing away access to funds.
In March, the FBI warned Tron users about fake tokens impersonating the agency and directing victims to sites designed to harvest wallet credentials.
Together, these incidents illustrate how attackers combine social engineering, exploitation of third-party weaknesses, and tactics that defeat ordinary email authentication to create convincing phishing campaigns. Users are advised to treat unexpected security alerts with caution, avoid clicking links in unsolicited emails, verify messages through official app channels, and enable strong account protections such as two-factor authentication where available.