Overview
- Former Ripple CTO David Schwartz warned that some Robinhood‑branded emails are phishing attempts even though they appear genuine and pass SPF, DKIM, and DMARC checks.
- The messages mimic standard security alerts with a login time, device details, a case ID, and a “Review Activity Now” button that leads to credential theft, according to examples he shared.
- Schwartz said the emails may be getting injected into Robinhood’s own notification system, a tactic that would make sender and branding look normal to recipients.
- Security analyst Abdel Sabbah outlined a possible path for the attack using Gmail’s dot trick to register account variants, then slipping malicious HTML into a device‑name field that Robinhood’s emails render without sanitizing; Robinhood has not confirmed this.
- Users are urged to avoid links in emails and instead open the Robinhood app or website directly, report suspected messages to ReportPhishing@robinhood.com, and note that crypto users have faced similar scams, including a MetaMask fake 2FA campaign tracked by SlowMist.