Phishing emails sent through Robinhood email infrastructure

On Sunday evening some Robinhood customers received fraudulent emails that appeared to come from [email protected] with the subject ‘Your recent login to Robinhood.’ A customer who downloaded a raw .eml file reported the message passed SPF, DKIM and DMARC checks, indicating it was sent through Robinhood’s own email infrastructure even though the message body contained a phishing payload.

The injected HTML added a ‘Review Activity’ button that routed recipients through googletagmanager.com to a domain called tinzio.net. The visible headers and authentication records matched Robinhood’s systems while the email body carried the malicious link.

Robinhood confirmed the messages were a phishing attempt and attributed the incident to abuse of its account creation flow, saying the company’s systems and customer accounts were not breached. The Robinhood Help account posted that customer balances and personal data were not accessed.

The company advised anyone who received the message to contact support through the app or website instead of clicking links. It recommended changing passwords, rotating two-factor authentication and reviewing recent device activity for anyone who interacted with the email.

Security observers noted the campaign allowed authentication checks to validate the sender while the message content was altered. David Schwartz, CTO emeritus at Ripple, wrote that the emails appeared to have been injected into Robinhood’s email system at some point.

Robinhood has not provided technical details on how the account creation flow was abused, how many customers received the falsified messages or what fixes have been applied. The company has not reported any theft of funds or customer information tied to these emails.