•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Ripple’s former CTO David Schwartz has warned that a targeted phishing campaign has begun exploiting Robinhood users through emails that appear to be legitimate and are sent ahead of the firm’s earnings report.
Schwartz said the campaign uses messages that appear to originate from Robinhood’s own email system. He noted that standard email authentication checks—SPF, DKIM, and DMARC—are reportedly passing successfully, which can make the emails look genuine to recipients.
“WARNING: Any emails you get that appear to be from Robinhood (and may actually be from their email system) are phishing attempts,” Schwartz wrote on X.
According to Schwartz, the emails include a login alert that lists a time, device, and a case ID. The messages also prompt users to “Review Activity Now.” While the layout and branding mirror official communication, the embedded button is described as initiating a phishing sequence intended to capture user credentials.
Schwartz said the delivery method appears unusual. He indicated that the emails may have been “somehow injected into Robinhood’s actual email infrastructure,” describing the exploit as “quite sneaky.”
He added that the ability to pass authentication checks increases the likelihood that users will trust the communication.
Schwartz also referenced an attack vector described by Abdel Sabbah. The approach involves Gmail’s “dot trick,” which allows multiple variations of the same email address.
Sabbah said attackers created a Robinhood account using such variations and set a device name containing malicious HTML code. He reported that Robinhood’s system does not sanitize this field, allowing the HTML payload to render inside official emails sent from noreply@robinhood.com.
The result, according to the account described, is a fully authenticated-looking message that appears legitimate but contains hidden malicious elements.
Phishing attacks continue to target cryptocurrency users, with multiple campaigns reported across wallet platforms in recent days.
As previously reported by crypto.news, SlowMist said MetaMask users were targeted by a phishing campaign promoting a fake two-factor authentication process. The spoofed emails used MetaMask branding and included a countdown timer intended to pressure users into acting quickly.
SlowMist said that victims who clicked the “Enable 2FA Now” prompt were redirected to a malicious website that requested their seed phrase, enabling attackers to gain access to wallet funds. The firm noted that these campaigns often rely on small inconsistencies, such as misspelled domains and unusual sender addresses, to evade early detection.
Premium gym chains are entering a “golden era” that is ending or already in decline, as rising operating costs collide with shifting consumer preferences toward more flexible, community-based ways to exercise. Long-term memberships are shrinking, margins are pressured by higher rents and facility expenses, and competition from smaller, more personalized…
