news

Gmail Dot Trick Fuels New Robinhood Phishing Scam Using Real Emails

Dhananjay Singh
Published: April 28, 2026
5 min read
Gmail Dot Trick Fuels New Robinhood Phishing Scam Using Real Emails

STAY UPDATED WITH COTI

Follow COTI across social media platforms to get the latest news, updates and community discussions.

X IconFollow on XTelegram IconJoin Telegram
Make us preferred on Google

Summary:

  • Scammers used Gmail's dot alias feature to spoof Robinhood emails.
  • Attack sends real emails from Robinhood's domain with hidden phishing links.
  • Exploit involves fake account creation and HTML injection in device name field.
  • No system breach reported, but users could lose accounts if they enter login details.
  • Phishing and social engineering scams drove $306M in crypto losses in Q1 2026. 

A new phishing campaign targeting Robinhood users is raising fresh concerns about how small technical quirks can be turned into large-scale attacks. This time, the method didn't rely on hacking servers or breaking security systems. Over the weekend, users began reporting suspicious emails that appeared to come directly from Robinhood's official systems. The emails warned about an unrecognized login attempt and included a call-to-action button directing users to verify their accounts. On the surface, everything looked normal. The sender address checked out. The formatting looked real. Even the delivery passed standard email security checks. One user described what they saw in a post:

" Robinhood's email service SendGrid (not on 𝕏 🤦♂️)
@twilio is hacked or somehow verified a robinhood.com domain sending out phishing emails @RobinhoodApp @AskRobinhood
Received: from http://o2.email.robinhood.com(http://o2.email.robinhood.com. [50.31.40.73])" Source 

That initial reaction assuming a breach - made sense. But the reality turned out to be more subtle. Security researchers later clarified that Robinhood itself wasn't hacked. Instead, attackers found a way to manipulate how the platform generates and sends automated emails.

READ MORE : Litecoin Rewrites 3 Hours of Blockchain History After Privacy-Layer Exploit

Breaking Down the Exploit 

At the center of the attack is Gmail's "dot alias" behavior. In simple terms, Gmail ignores dots in the username part of an email address. So something like "john.doe@gmail.com" and "johndoe@gmail.com" both lead to the same inbox. Robinhood, however, treats those variations as completely different accounts. Attackers used this mismatch to their advantage. They created new Robinhood accounts using slightly altered versions of real users' Gmail addresses. Even though the accounts were technically different inside Robinhood's system, all emails sent to those accounts still landed in the real user's inbox.

From there, the attack took a more creative turn. When setting up the fake account, the attacker filled in the "device name" field - normally used for labels like "iPhone" or "MacBook" - with hidden HTML code instead of plain text. Robinhood's system then included that device name in its automated "unrecognized login" email. Because the platform didn't properly filter or clean that input, the HTML code was rendered directly inside the email. That allowed attackers to inject fake warning messages and even clickable phishing buttons into an otherwise legitimate email. Another user on X summed it up clearly:

" New Robinhood phishing chain that's kinda beautiful:
1. Attacker creates an RH account using the Gmail dot trick of your email (same inbox, different address)
2. Sets device name to HTML
3. RH's "unrecognized activity" email renders the device name unsanitized (html injection)
The result is a real email from noreply@robinhood.com, DKIM pass, SPF pass, DMARC pass, with a phishing CTA Just because it's real, doesn't mean it's safe... $HOOD"
Source

That last line captures the core issue. The email is technically real but the content inside it has been manipulated.

READ MORE: Hyperbridge Exploit Mints 1B Fake Polkadot Tokens, Attacker Walks Away With $237K

What Happens If You Click - And What Doesn't

Despite how convincing the email looks, simply opening it or clicking the link isn't enough to compromise an account. The real risk comes when users interact further. If someone enters their login details, password, or two-factor authentication code on the fake website, that information is handed directly to the attacker. From there, account access becomes possible.

Robinhood addressed the situation in a statement, confirming the issue was tied to account creation abuse rather than a breach:

" This phishing attempt was made possible by an abuse of the account creation flow. It was not a breach of our systems or customer accounts, and personal information and funds were not impacted. If you received this email, please delete it and do not click any suspicious links." Source

However, No internal systems were compromised, and no user data was directly leaked. But the attack still works because it targets human behavior. According to blockchain security firm Hacken, phishing and social engineering attacks accounted for $306 million in losses during the first quarter of 2026 alone. These attacks don't need advanced exploits. They rely on trust, timing, and small technical gaps. In this case, the combination of Gmail's email handling and Robinhood's input validation created just enough space for attackers to operate. Neither system was "broken" on its own, but together, they formed a weak point. Users are trained to check sender addresses and look for official formatting. But when the email actually comes from a legitimate domain and passes all authentication checks, those signals become less useful.

Final Thoughts

This phishing campaign is a reminder that security doesn't always fail in obvious ways. There was no major breach, no stolen database, no dramatic system failure. Just a small oversight in how inputs were handled and a known behavior in email systems - combined in a way that attackers could exploit. For users, the takeaway is simple but important. Even if an email looks real and comes from a trusted source, the safest move is to avoid clicking links directly. Going to the platform through its official website or app removes most of the risk.

READ MORE : Ethereum Foundation Sells $24M in ETH to Bitmine as Treasury Strategy Evolves

Related Topics

#Gmail Dot Trick#Phishing Scam#Robinhood#Hacking

About the Project

Crypto News

About the Author

Dhananjay Singh

Dhananjay Singh

Dhananjay Singh is a DeFi reporter at CotiNews covering the evolving decentralized finance landscape. His work focuses on developments within the Ethereum ecosystem and the growing COTI network. He holds a Bachelor’s degree in Political Science from the University of Delhi.

View all articles

Disclaimer

The views and opinions expressed in this article are those of the authors and do not necessarily reflect the official stance of CotiNews or the COTI ecosystem. All content published on CotiNews is for informational and educational purposes only and should not be construed as financial, investment, legal, or technological advice. CotiNews is an independent publication and is not affiliated with coti.io, coti.foundation or its team. While we strive for accuracy, we do not guarantee the completeness or reliability of the information presented. Readers are strongly encouraged to do their own research (DYOR) before making any decisions based on the content provided. For corrections, feedback, or content takedown requests, please reach out to us at

contact@coti.news

Stay Ahead of the Chain

Subscribe to the CotiNews newsletter for weekly updates on COTI V2, ecosystem developments, builder insights, and deep dives into privacy tech and industry.
No spam. Just the alpha straight to your inbox.

We care about the protection of your data. Read our Privacy Policy.