Robinhood Phishing Attack Exploits Gmail Dot Alias and Account Creation Flaw
Sophisticated campaign sends legitimate-looking emails from Robinhood's official domain via email address manipulation
L'essentiel
- Robinhood users are being targeted by a phishing attack that exploits Gmail's dot alias feature and flaws in Robinhood's account creation process.
- Scammers create fake Robinhood accounts using email addresses that differ only by dots (e.g., [email protected] vs [email protected]), then inject malicious HTML into the device name field.
- This sends emails from Robinhood's official noreply address that pass SPF, DKIM, and DMARC authentication, containing fake login warnings and phishing links.
Résumé généré par IA
Pourquoi c'est important
This phishing attack exploits a known characteristic of Gmail that ignores dots in email addresses, combined with a flaw in Robinhood's account creation process that allows HTML injection in the device name field. The technique allows scammers to send emails that appear to come from Robinhood's official domain but contain malicious content.
Robinhood users are being warned about a new phishing attack that takes advantage of Gmail's native "dot alias" feature and flaws in Robinhood's account creation process to send malicious emails. Robinhood users on Sunday began reporting on social media of emails originating from the platform's mail server warning of an unrecognized device login, which linked to phishing websites in the "call to action" button.
Alex Eckelberry, a cybersecurity researcher and tech CEO, said the phishing campaign wasn't the result of a hack but instead exploited a native Gmail characteristic that ignores dots in an email address, as well as a "couple of terrible holes" in Robinhood's account setup. It comes after blockchain security company Hacken reported earlier this month that phishing and social engineering attacks dominated crypto attacks in the first quarter of 2026, accounting for $306 million in losses.
Hackers created fake Robinhood accounts. Eckelberry said the scam relied on fraudsters creating an account on Robinhood with an email closely mimicking their target's email address. For example, a Robinhood user could have an email address such as "[email protected]." The scammer would create a new Robinhood account with an email without the dot in the middle, such as "[email protected]." While Robinhood would treat them as completely separate accounts, Gmail ignores dots in the username part of an email address. This means scammers could prompt Robinhood to automatically send emails intended for their fake account, but have them arrive in their target's inbox instead.
To get a phishing link into the automated email sent when a new Robinhood account is created, the scammers would then add HTML instructions to the optional "device name" field on Robinhood, which Gmail treats as formatting instructions.
"The result is a real email from '[email protected]' that passes SPF, DKIM, and DMARC. It looks completely legitimate but now contains injected fake warning text and a working phishing button. Clicking the button leads to a fake login site," Eckelberry said.
The email is only dangerous if information is added. Visiting the fake login website alone isn't enough for hackers to gain access to an account, Eckelberry said, but entering sensitive information such as passwords could allow bad actors to do so.
Robinhood's support account on X posted a statement on Monday confirming that some users received a falsified email from "[email protected]" with the subject line "Your recent login to Robinhood" and blamed the issue on an exploit of the "account creation flow."
"This phishing attempt was made possible by an abuse of the account creation flow. It was not a breach of our systems or customer accounts, and personal information and funds were not impacted," they said. "If you received this email, please delete it and do not click any suspicious links. If you have clicked a suspicious link or have any questions about your account, please contact us directly within the Robinhood app or website."
À surveiller
Perspective IA — des possibilités, pas des certitudes
Robinhood will implement additional verification in account creation to prevent HTML injection
Probable · En quelques semaines
Similar phishing campaigns may target other platforms using same technique
Possible · En quelques mois
Questions ouvertes
- How many users received the phishing emails
- Whether any users actually entered credentials on the fake site
- What specific changes Robinhood will make to prevent this exploit






