Ripple’s former CTO David Schwartz has warned that a targeted phishing campaign has begun exploiting Robinhood users through seemingly legitimate emails ahead of the firm’s earnings report.
According to Schwartz, the attack involves emails that appear to originate from Robinhood’s own system, with authentication checks such as SPF, DKIM, and DMARC passing successfully, making the messages appear genuine to recipients.
“WARNING: Any emails you get that appear to be from Robinhood (and may actually be from their email system) are phishing attempts,” he wrote in a post on X.
Details shared by Schwartz show that the emails include a login alert listing time, device, and a case ID, alongside a prompt urging users to “Review Activity Now.” The message layout and branding mirror official communication, yet the embedded button reportedly initiates a phishing sequence designed to capture user credentials.
Explaining the unusual delivery method, Schwartz said he believes the emails were “somehow injected into Robinhood’s actual email infrastructure,” later describing the exploit as “quite sneaky.”
The ability to pass standard authentication checks increases the likelihood of users trusting the communication, according to his observation.
Exploit tied to email system manipulation
Insight referenced by Schwartz from Abdel Sabbah outlines a possible attack vector involving Gmail’s “dot trick,” which allows multiple variations of the same email address. Sabbah said attackers created a Robinhood account using such variations and assigned a device name embedded with malicious HTML code.
Robinhood’s system, according to Sabbah, does not sanitize this field, allowing the HTML payload to render inside official emails sent from [email protected]. The result is a fully authenticated message that appears legitimate but contains hidden malicious elements.
Phishing scams continue to target crypto users
Phishing attacks have continued to pose a persistent risk to cryptocurrency users, with multiple campaigns reported across wallet platforms in recent days.
As previously reported by crypto.news, MetaMask users were targeted by a phishing campaign that promoted a fake two-factor authentication process, according to blockchain security firm SlowMist. The spoofed emails used MetaMask branding and included a countdown timer designed to pressure users into immediate action.
SlowMist said victims who clicked the “Enable 2FA Now” prompt were redirected to a malicious website that requested their seed phrase, giving attackers full access to wallet funds. The firm noted that such campaigns often rely on small inconsistencies, including misspelled domains and unusual sender addresses, to bypass initial scrutiny.
