Headline: Former Ripple CTO warns of sophisticated phishing campaign spoofing Robinhood emails ahead of earnings Former Ripple CTO David Schwartz has issued a sharp warning that a targeted phishing campaign is tricking Robinhood users with emails that look, and even authenticate, like they came from Robinhood itself. The alerts arrived just before Robinhood’s earnings report and are designed to harvest credentials by mimicking the platform’s official account-security messages. What’s happening - The fraudulent messages present as login alerts, listing time, device and a case ID, and include a prominent “Review Activity Now” button. The layout and branding closely mirror Robinhood’s legitimate communications. - Crucially, the emails reportedly pass standard email authentication checks (SPF, DKIM and DMARC), which makes them appear genuine to recipients and many filtering systems. - “WARNING: Any emails you get that appear to be from Robinhood (and may actually be from their email system) are phishing attempts,” Schwartz wrote on X, later calling the exploit “quite sneaky.” How the attackers may be doing it - Security researcher Abdel Sabbah shared a plausible vector: attackers leveraged Gmail’s “dot trick” (multiple dot-variations of the same address) to create a Robinhood account and then set a device name that embedded malicious HTML. - According to Sabbah, Robinhood’s email system did not sanitize that device-name field, allowing the HTML payload to render inside officially sent emails from [email protected]. The result: fully authenticated emails that still contain hidden malicious elements that trigger credential theft. Why this is dangerous - Passing SPF/DKIM/DMARC removes a key cue many users and email systems rely on to judge legitimacy, increasing the chance victims will trust the message and click the embedded link. - The attack blends social engineering (urgent login alerts) with a technical trick that embeds malicious content in otherwise legitimate mail. Broader context: phishing remains a top crypto threat - Crypto users continue to be targeted with similar campaigns. SlowMist recently reported a MetaMask phishing campaign that used spoofed emails and a fake “Enable 2FA Now” flow with a countdown timer to pressure users. Victims who followed the prompt were redirected to a malicious site that asked for their seed phrase — giving attackers full control of wallets. - These schemes often succeed by exploiting small inconsistencies (misspelled domains, unusual sender names) combined with urgency and realistic-looking branding. Practical advice for users - Don’t click email links for account security actions. Open the official Robinhood app or type robinhood.com directly into your browser. - Never share seed phrases or private keys under any circumstances. - Enable strong 2FA (prefer app-based or hardware tokens rather than SMS). - Verify suspicious emails by checking sender details and email headers where possible, and report suspected phishing to Robinhood and your email provider. - If you clicked a suspicious link, change passwords, revoke sessions, and consider contacting support and security services immediately. Takeaway This campaign shows how attackers are combining subtle mail-system tricks with convincing copy to bypass normal defenses. Vigilance—especially around security alerts—is essential for anyone interacting with crypto platforms. Read more AI-generated news on: undefined/news