Overview
- Customers began receiving “Your recent login to Robinhood” emails Sunday that came from noreply@robinhood.com and linked a “Review Activity Now” button to a fake site that is now offline.
- Attackers used Gmail’s dot-alias quirk to create lookalike accounts and then put HTML in Robinhood’s “device name” field so the code showed up inside real alert emails.
- The forged messages passed SPF, DKIM and DMARC checks, which made many users trust the sender and click.
- Robinhood said Monday the flow was abused, not hacked, reported no customer losses, removed the device field from emails, and told users to delete the notice.
- Researchers said the targeting likely drew on past leak lists, including Robinhood’s 2021 email exposure, as phishing tied to crypto platforms grows this year.