Targeted Robinhood sophisticated phishing attack… domain and authentication both verified.

It is rumored that Robinhood users received大量看似由公司直接发送的“钓鱼邮件” during the weekend. These emails’ sender addresses indeed used the @robinhood.com domain, with proper authentication headers and digital signatures such as (DKIM), bypassing spam filters.

Especially, some emails sent from [email protected] were even automatically merged into the same “conversation thread” with past Robinhood security alerts in Gmail. There were almost no obvious external anomalies; the core issue is that the “content” itself—such as links prompting users to enter login information—is fraudulent.

“Dot trick” and HTML injection… abuse of Robinhood notification channels

Security researcher Abdel Sabbah, when analyzing this attack, somewhat gloomily commented that it was “kinda beautiful.” The attacker first exploited Gmail’s feature of ignoring dots (.) in the username part of email addresses (the so-called “dot trick”), allowing variants like [email protected] and [email protected] to land in the same inbox.

The problem is that Robinhood does not normalize dot variants like Gmail does. The attacker created accounts with dots, embedded raw HTML in the device name input field, and tricked Robinhood’s “Unrecognized Activity” notification email template into directly inserting it without sanitization. The result is a phishing email that appears to “pass DKIM, SPF, and DMARC” checks and is “normally sent.”

Targeting account hijacking… links that even covet 2FA codes

The call-to-action (CTA) in the email appears as a fake security warning, containing hyperlinks to attacker-controlled web pages. This is a typical tactic: when users click the link and enter login info, not only their account password but also 2FA codes are intercepted, stealing account access.

As with other phishing campaigns, the ultimate goal of this attack is to access “user funds.” Robinhood accounts are considered primary targets. This case exposes that even seemingly normal indicators—domain name, authentication signatures, sending servers—can all be legitimate, sounding an alarm for cryptocurrency investors and ordinary investors alike.

“Stop and think before clicking links in emails”… verification habits are key

The incident quickly spread on social media, with many crypto opinion leaders warning “be cautious when clicking.” Ripple CTO David Schwartz warned: “Even emails that look like they come from Robinhood (and may be sent through real email systems) could be phishing, and the techniques are quite clever.”

Similar cases have occurred before. In April 2025, Ethereum Name Service (ENS) chief developer Nick Johnson disclosed that someone abused Google infrastructure to send phishing emails that appeared to come from [email protected] and passed DKIM signatures. The Robinhood case conveys the same message. Judging solely by sender domain and authentication status is insufficient; it’s important to develop the habit of not clicking links immediately, but instead logging in directly through the app or official website to verify notifications.

Summary by TokenPost.ai

🔎 Market interpretation - This case confirms that phishing events using Robinhood’s “normal domain @robinhood.com” with proper DKIM/SPF/DMARC authentication demonstrate that relying solely on email technical trust indicators cannot guarantee safety - Accounts linked to funds, such as trading/wallet/brokerage accounts, are primary targets; both stock and crypto investors face the same risks - UI elements like “email thread (conversation) merging” can be abused to boost trust and increase click rates, highlighting the importance of platform/email template validation and input sanitization (💡 strategic points - Do not click links in emails; verify notifications and security events by opening the app or official website directly (develop habits like bookmarking or direct input) - If you receive an “Unrecognized login/activity” warning: immediately change your password → log out of all sessions → reset 2FA (preferably using authenticator apps or security keys) → check withdrawal addresses and connected devices - Even if the email appears “legit,” assess whether the requested actions are abnormal: requests for login/2FA codes, emphasizing urgency, or inducing visits to external domains are high-risk signals - Operational insights: prevent HTML injection in user input fields (like device names) through escaping/sanitization, review email template insertion policies for user data, consider normalizing Gmail dot variants or preventing duplicate registrations (📘 terminology clarification - Phishing: impersonating trusted institutions/services to steal account info, authentication codes, etc. - DKIM/SPF/DMARC: verification systems to confirm emails are sent from authorized servers/signatures of the domain (passing does not guarantee content safety) - Dot trick: exploiting Gmail’s ignoring of dots in user IDs to attack by treating different dot variants as the same account - HTML injection: inserting HTML/scripts into input fields to render content as intended by attackers - 2FA: security measure requiring an additional code/app/secret beyond password, which can also be phished or stolen (💡 FAQ ()

Q. If an email passes DKIM/SPF/DMARC verification, is it then trustworthy? Not necessarily. DKIM/SPF/DMARC only confirm that the email was sent through authorized servers of the domain; they do not guarantee the safety of the email content (links/descriptions). As in this case, if malicious content is embedded in the service’s notification template, it can produce a verified phishing email. Q. What is the safest way to verify such phishing emails? Do not click links in the email; instead, log in directly through the Robinhood app or official website (using bookmarks or direct input) to check notifications and security alerts. If necessary, search through official channels and contact customer service, and report suspicious emails as spam/phishing. Q. What should I do if I’ve already clicked the link and entered login info and 2FA code? Follow these steps immediately: )1( Change your password, )2( Log out of all devices/sessions, )3( Reset 2FA (preferably using an authenticator app or security key to prevent phishing), )4( Check withdrawal/linked accounts, devices, API access, )5( Confirm if there are suspicious transactions or withdrawal attempts, and report this security incident to customer service.

TP AI notes: This article’s summary uses a language model based on TokenPost.ai. It may omit key points from the original or differ from facts.