Robinhood Users Hit by Phishing Scam That Fooled Gmail’s Security Filters

Robinhood customers got hammered by phishing emails over the weekend. Not the usual junk. These looked real.

The messages came from [email protected], carried all the right authentication stamps, and slipped past spam filters like they belonged there. They even threaded into existing Gmail conversations. By Sunday night, crypto Twitter was blowing up with warnings. People were checking their accounts. Some were already too late.

How the Attack Worked

Security researcher Abdel Sabbah tore apart the breach mechanics. Attackers used what’s called Gmail’s “dot trick.” Gmail ignores periods in email addresses—[email protected] and [email protected] hit the same inbox. Robinhood’s system doesn’t normalize these variations. So hackers registered accounts with dotted versions of legitimate email addresses, then manipulated device names using raw HTML code. When Robinhood’s notification pipeline fired off security alerts, the malicious HTML rendered inside what looked like genuine warnings.

The phishing messages wanted login credentials. They wanted two-factor authentication codes. They wanted access to funds, basically. And the scary part? All the standard checks people use to spot fakes didn’t work here. The sender domain was correct. The DKIM, SPF, and DMARC signatures all validated. Email security systems saw nothing wrong.

Ripple’s David Schwartz jumped on the warnings pretty fast. He’d seen something similar before—back in April 2025, attackers pulled off a comparable stunt using Google’s own infrastructure. That time, phishing emails came from [email protected]. Same playbook. Same exploitation of how big platforms handle email authentication and user notifications.

Traditional advice tells you to verify the sender’s domain. Check for authentication failures. Look for typos or weird formatting. None of that helped here. The emails passed every technical test. They looked legitimate because, in most ways that mattered to security filters, they were legitimate. Robinhood’s own guidance says to check the sender’s domain, but when the domain is actually correct and the signatures all validate, that advice falls apart.

What Robinhood Isn’t Saying

Protos reached out to Robinhood for comment. No response came back before publication. The company’s stock opened unchanged on Nasdaq Monday morning. Markets didn’t care, or maybe didn’t notice yet. But users were freaking out on social media, comparing notes about which emails they’d gotten and whether they’d clicked anything.

The silence from Robinhood raises questions. What’s the company doing to fix the notification pipeline? How many users got hit? How much money walked out the door? There’s no public incident report. No timeline for patches. Just the usual customer support channels telling people to be careful.

And that’s kind of the problem. Being careful doesn’t cut it when the attacks are this sophisticated. Users can’t spot the difference between a real security alert and a fake one if both come from the same authenticated source. The burden shouldn’t fall entirely on customers to decode email headers and guess which device-name strings contain malicious HTML.

Related: US Military Runs Bitcoin Node as Pentagon Eyes Crypto for Defense Operations

Email authentication protocols like DKIM were supposed to solve this. They verify that messages actually come from who they claim to come from. But when attackers compromise the notification system itself, those protocols become part of the problem. They stamp a seal of approval on malicious content.

The Gmail dot trick isn’t new. Security researchers have warned about it for years. But Robinhood’s failure to normalize email addresses before sending notifications created an exploitable gap. Attackers registered accounts with dotted variations, triggered legitimate security alerts, and hijacked the notification pipeline. The company’s own systems became the weapon.

What Users Can Actually Do

Standard advice still applies, even if it feels inadequate. Don’t click links in unexpected emails. Period. Even if they look perfect. Even if the domain checks out. Even if they thread into existing conversations. Go directly to the app or website instead.

Enable hardware security keys for two-factor authentication if the platform supports them. SMS codes and authenticator apps can be phished. Hardware keys can’t. Robinhood supports them, though most users probably don’t bother setting them up.

Watch for unusual account activity. Check your transaction history daily. Set up alerts for withdrawals above a certain threshold. If something moves without your knowledge, you want to know immediately, not three days later when the funds are already gone.

Read also: LTC Network Faces Heat After 13-Block Reorg Exposes Mimblewimble Weakness

But honestly? The real fix has to come from Robinhood. The company needs to normalize email addresses before sending notifications. It needs to sanitize device names and strip out HTML. It needs to rethink how its notification pipeline handles user-controlled input. Individual vigilance only goes so far when the platform itself is vulnerable.

The sophistication here is pretty wild. Attackers didn’t just send fake emails—they weaponized Robinhood’s legitimate infrastructure. They turned security alerts into phishing vectors. And they did it in a way that fooled both users and automated security systems.

Other platforms probably have similar vulnerabilities. Gmail’s dot trick works everywhere Gmail works. Any service that sends notifications based on user-controlled input—device names, account nicknames, profile information—could be exploited the same way. Robinhood just happened to be the target this weekend. Next weekend it might be Coinbase or Kraken or Binance.US.

The April 2025 Google incident showed this wasn’t a one-off technique. Attackers are refining these methods, finding new platforms to exploit, and scaling up their operations. The fact that Robinhood’s stock didn’t move suggests investors either don’t understand the severity or don’t think it’ll hurt the bottom line. Maybe they’re right. Maybe users will shrug it off and keep trading. But the vulnerability remains, and the attackers know it works.