Hackers exploit Robinhood account creation tool to launch worrying phishing scam

Robinhood says the vulnerability has since been fixed

News By Sead Fadilpašić published 28 April 2026

• Copy link
• Facebook
• X
• Whatsapp
• Reddit
• Pinterest
• Flipboard
• Threads
• Email

Share this article 0 Join the conversation Follow us Add us as a preferred source on Google Newsletter Subscribe to our newsletter

• Attackers exploited a flaw in Robinhood’s account creation emails to inject phishing content
• Fake warnings from noreply@robinhood.com redirected victims to credential‑stealing landing pages
• The vulnerability has been fixed, and no customer accounts or funds were compromised

Cybercriminals are abusing Robinhood to successfully land phishing emails into victim’s inboxes in a bid to steal login credentials, experts have warned.

Robinhood is a popular electronic trading platform, best known for allowing users to buy and sell crypto, ETFs, and Futures, but some of its users recently started getting emails warning them about unusual login activity.

This is standard practice, as when someone from a different IP address half across the world suddenly logs into an account, the service sends the owner a warning email - however these messages were fake.

Article continues below

Exploiting a flaw

The emails did originate from Robinhood’s legitimate email account noreply@robinhood.com, and as such did pass SPF and DKIM email security checks - but they redirected recipients to a malicious landing page designed to capture their login credentials for the platform.

Apparently, Robinhood’s account creation process was flawed. When a user creates a new account, the platform sends a confirmation email with details such as registration time, IP address, device information, and approximate location. The flaw allowed the crooks to modify the device metadata field and include embedded HTML, which Robinhood did not sanitize.

That HTML, which contained the actual phishing email content, was injected into the Device: field of the account creation email, making the email seem as a warning message.

The final step is using an email list to distribute the emails to the victims. BleepingComputer believes the emails were most likely obtained in previous breaches, possibly from the November 2021 Robinhood breach.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Contact me with news and offers from other Future brandsReceive email from us on behalf of our trusted partners or sponsors