The emails passed domain authentication checks because they appeared to have been sent through Robinhood’s actual email infrastructure.
Ripple’s CTO Emeritus David Schwartz posted a warning on X, telling users that a phishing campaign had sent fraudulent security alerts appearing to come from Robinhood’s own email infrastructure.
Robinhood has since confirmed the incident, attributing it to an abuse of its account creation flow rather than any breach of its systems.
What the Phishing Email Looked Like and How It Got Through
According to Schwartz, the fake email, whose subject line was “Your most recent login to Robinhood,” claimed that there was an unrecognized login attempt on an “iPhone 17 Pro” device at a specified time and that an account telephone number ending in “87” would be updated shortly.
A “Review Activity Now” button sat at the bottom, alongside a warning that once changes were confirmed, they could not be reversed, which is standard panic-inducing language, designed to make people click before they think.
Schwartz said he was not certain of the exact mechanics but believed, based on a quick look, that the emails “were somehow injected into Robinhood’s actual email infrastructure at some point.”
That matters because the filters that most email providers use check to see if a message really came from the domain it says it did. If the sending path looks real, those checks pass, and that’s how the fraud landed in Schwartz’s inbox looking exactly like the genuine article.
Robinhood’s support account later confirmed that “some customers received a falsified email from noreply@robinhood.com,” adding that the attack exploited its account creation flow and that no systems were breached, no personal information was exposed, and no funds were touched.
You may also like:
The company’s guidance was for customers to delete the email, not click anything, and contact Robinhood through the app if worried.
A Pattern That Keeps Repeating
Reactions on X came quickly, with one user asking how a company of Robinhood’s size could have its official email compromised at all, while another, Demosthenes, noted that scam emails tend to multiply during unsettled market periods.
Web3 builder Dpac claimed they had received a similar phishing email two days earlier from attackers impersonating XRP Cafe and flagged a separate wave running through X itself, with hijacked accounts sending malicious links via direct messages and multiple reports of wallets being drained.
None of this is happening in isolation, with Ledger users in January being hit with phishing emails after a data breach at third-party e-commerce partner Global-e exposed their contacts and order details. Scammers then sent fake merger notices asking them to enter wallet recovery phrases on a fake website.
Furthermore, a February report by Scam Sniffer said phishing losses had climbed 207% from December, costing victims $6.27 million across 4,741 cases as attackers used wallet poisoning and fraudulent approvals to trick users into signing away access to funds.
The following month, the FBI warned Tron users about fake tokens impersonating the agency and pointing people toward a site built to harvest wallet credentials.
Binance Free $600 (CryptoPotato Exclusive): Use this link to register a new account and receive $600 exclusive welcome offer on Binance (full details).
LIMITED OFFER for CryptoPotato readers at Bybit: Use this link to register and open a $500 FREE position on any coin!
