Phishing Emails Arrive from Robinhood's Own Address
Beginning on the evening of April 27, 2026, customers of the online trading platform Robinhood began receiving alarming emails with the subject line "Your recent login to Robinhood." The messages claimed that an "Unrecognized Device Linked to Your Account" had been detected, and they included unusual IP addresses alongside partial phone numbers to lend an air of legitimacy.
"We detected a login attempt from a device that is not recognized," the phishing email stated. "If this was not you, please review your account activity immediately to secure your account."
What set this campaign apart from run-of-the-mill phishing was the fact that the emails originated from Robinhood's genuine address, noreply@robinhood.com, and passed both SPF and DKIM email security checks — two authentication standards that mail clients use to verify a sender's identity. To an average recipient, every technical signal pointed to a real communication from Robinhood.
A Malicious Button and a Convincing Phishing Site
Embedded in each message was a button labeled "Review Activity Now." Clicking it redirected victims to a phishing site hosted at robinhood[.]casevaultreview[.]com, which has since been taken offline. Screenshots shared on Reddit suggest the site was designed to harvest Robinhood login credentials. Discussions on Reddit, attributed to users including @OtisAndPeanut, helped surface the campaign publicly before it could claim a larger number of victims.
How the Onboarding Flaw Was Exploited
BleepingComputer confirmed the mechanism behind the attack: threat actors identified a vulnerability in Robinhood's account registration flow that allowed them to inject arbitrary HTML into the platform's standard account confirmation emails.
When a new Robinhood account is created, the company automatically dispatches a "Your recent login to Robinhood" email to the registered address. This email contains the registration timestamp, the IP address used, device information, and an approximate geographic location. Critically, Robinhood was not properly sanitizing the device metadata fields submitted during registration.
Attackers exploited this gap by supplying crafted HTML code in place of legitimate device information. That code was then rendered inside the Device: field of the outgoing confirmation email, producing a convincing fake warning about unrecognized account activity. The result was a single email that blended Robinhood's authentic formatting with an attacker-injected phishing section.
Targeting Existing Customers via Breach Data and Gmail Aliases
To direct the fraudulent emails at real Robinhood customers rather than arbitrary addresses, the attackers appear to have drawn on lists of known customer emails obtained from previous data breaches. Robinhood itself suffered a significant breach in November 2021 that exposed the data of approximately 7 million customers; that data was subsequently offered for sale on a hacking forum, making it a ready resource for follow-on attacks.
The campaign also took advantage of Gmail's dot aliasing behavior. Because Gmail treats periods within a username as insignificant — meaning john.doe@gmail.com and johndoe@gmail.com reach the same inbox — attackers could register new Robinhood accounts using dot-modified variations of a real customer's email address. This allowed them to trigger the confirmation email flow and route the phishing message directly to the intended target without needing to access the victim's actual account.
Robinhood's Response and Remediation
Robinhood acknowledged the incident in a statement posted to X:
"On Sunday evening, some customers received a falsified email from noreply@robinhood.com with the subject line 'Your recent login to Robinhood.' This phishing attempt was made possible by an abuse of the account creation flow. It was not a breach of our systems or customer accounts, and personal information and funds were not impacted."
BleepingComputer independently confirmed that Robinhood has since patched the vulnerability by removing the Device: field from account creation emails entirely — the same field that attackers used to inject their malicious HTML. The company is advising any customer who received the suspicious message to delete it immediately and refrain from clicking any embedded links.
Key Takeaways for Users and Security Teams
- Sender authenticity is not enough: Even emails that pass SPF and DKIM verification can carry phishing content if the sending platform has an input-sanitization flaw.
- Old breach data remains dangerous: The 2021 Robinhood breach affecting 7 million accounts continued to fuel attacks years later.
- Gmail aliasing can be abused: Dot variations of email addresses can be weaponized to register platform accounts and trigger transactional emails to real users.
- Input sanitization is critical: Any metadata field that feeds into outbound communications must be rigorously sanitized to prevent HTML or script injection.
Users who interact with financial platforms should be cautious even when an email appears to originate from a legitimate domain, particularly if it contains urgent calls to action or unfamiliar links. When in doubt, navigate directly to the platform by typing its URL into a browser rather than following any embedded button or hyperlink.
Source: BleepingComputer