Robinhood confirmed that fraudulent emails sent from [email protected] were a phishing attempt. The company said attackers abused its account creation flow without compromising customer accounts or company systems.
The falsified message, with the subject line “Your recent login to Robinhood,” prompted recipients to delete it. Customer balances and personal data remained untouched, the company’s help account stated on X.
Phishing Email Bypasses Robinhood Authentication
A Robinhood customer who analyzed the raw .eml file said the message passed SPF, DKIM, and DMARC checks. The email originated from Robinhood’s own infrastructure.
Attackers injected HTML into the legitimate email body. The injection embedded a “Review Activity” button that redirected to a domain called tinzio.net via googletagmanager.com.
David Schwartz, CTO emeritus at Ripple, also flagged the campaign, highlighting that the messages may actually be coming from Robinhood’s email system.
“I’m not sure exactly what’s going on, but it seems (at least from a quick look) like these emails were somehow injected into Robinhood’s actual email infrastructure at some point,” he warned.
Robinhood (HOOD) traded near $84.71 on Monday morning, up 1.40% on the day, but recorded pre-market losses of up to 0.3% despite the phishing incident on Sunday evening.
What Robinhood Customers Should Do
Robinhood Help advised affected customers to contact support through the app or website rather than click any links.
The brokerage encouraged anyone who interacted with the email to change passwords, rotate two-factor authentication (2FA), and review recent device activity.
The pattern points to attacks in which authentication standards pass even as the email payload itself becomes malicious.
Robinhood has not detailed how attackers gained access to the account creation flow. It also has not said whether other customers received similar messages.
