The Robinhood Phishing Chain

Added: 2026-05-12

[00:00:00]So, I saw this. I haven't actually looked at it, but it looks crazy. There is this new Robin Hood fishing chain. I have a general idea of what's going on here, but apparently Robin Hood allowed itself to get just utterly pronounced and it's sending emails from the Robin Hood.com. So, the big thing, so for those that don't know in the fishing world, which you know, I just recently was on the old Twitter and I was just like, "Hey, look, I almost got uh 1920."

[00:00:24]Oh my gosh. Wait, wait, wait. Is why does that sound funny? I think I made it too wide. I can't remember all of a sudden. Uh anyways. Okay. So, there we go. Sorry, I got totally distracted. I Yes, or a couple days ago I posted a photo of being uh right now there's a huge By the way, for those that don't know, there's a huge X fishing thing going on right now. So, if you haven't been on the old X, which by the way, you don't have to be on X, but if you do decide to go on X, I've been getting several of them across several different accounts. Okay, it can't be this old. It has to be right here, by the way. Look at that. Look at that. There we go.

[00:00:52]Right here. Like content on the prime.

[00:00:54]And then they didn't even get my name spelled correctly. Uh, but they'll go here and they will be like, "Hey, by the way, you've broken DMCA. You need to sign this kind of stuff." You're getting all these emails. And so, of course, it looks pretty good, right? Like, that looks really good. But, of course, if you look right there, you can see it.

[00:01:07]So, a fishing attack typically is just when someone pretends to be something that they're not. The thing that makes this uh so interesting is that apparently with this Robin Hood one, it's coming from Robin Hood. It's the killer is inside the house, right? The secret is not to avoid these scams, not to have any followers. Dude, I get tried to get scammed on a literally a 100 times a week now. And so this Robin Hood one literally is they figured out how to overtake Robin Hood's mailing thing and actually send fishing emails from Robin Hood. A new Robin Hood fishing chain.

[00:01:37]That's kind of beautiful. Attacker creates a Robin Hood account using a Gmail trick uh of your email. Same inbox, different address. Okay, so for Dude, also didn't realize people didn't know this. If your email is, let's just say it's the primogen, right? the prime.

[00:01:51]Uh, this is considered the same email in Gmail, right? Like those two are the same thing. And so people didn't realize that. Most people don't realize that.

[00:02:00]And there are an incredible amount of services. Oh, you Oh, it looks like a bunch of people are like, "What? I didn't even know this." Well, let me tell you another fun thing. You can also at the end of your Gmail add a word plus and add any word you want and this will also go to the same email. So, you don't have to worry about a dot trick. You can go dot. So, a lot of times if I if I'm signing up for something that I think is a spam, I will do that. So, that way I have a a very easy way to filter it out.

[00:02:25]Little trick. Saw that on TikTok.

[00:02:26]There's no way. That's wild. That's a fisherman's dream. It is. It is a fisherman's dream. And in fact, it worked right here. So, Robin Hood, of course, they never even did that with email addresses as you wouldn't think that's, you know, I honestly I think Gmail Gmail truly is doing the thing wrong here. Gmail should have never allowed dots to be considered um non-unique. I think Gmail truly screwed it up because I believe I I want to say as part of the email spec, I don't think that dots are considered um non-changing, right? So, it'd be very confusing. Anyways, sets the device name uh to HTML. Robin Hood rec uh Robin Hood's unrecognized activity emails renders the device name unsanitized.

[00:03:04]HTML injection. The result is a real email from no reply atroinhood.com. DKM uh DKIM pass. I don't know what DKIM is.

[00:03:12]SPF pass. Don't know what that is. Demar pass. I don't know what the hell all these D's are doing in here. Okay, what is this? What What kind of weird sausage parties going on in here? Uh, with a fishing CTA. Uh, just because it's real doesn't mean it's safe. Robin Hood. So, here you go. Message ID. Here it is. No reply to this. Your recent Robin Hood login pass with IP. All the good stuff.

[00:03:32]Let's look at this. Here's this person's Gmail. Here's no reply from Robin Hood.

[00:03:35]Unrecognized activity. All of this stuff is going on right here. So, it looks it definitely looks legitimate. Like, I'd fall for this unrecognized activity.

[00:03:42]This all looks good. So, I assume this review activity now that's the thing that's broken. Let's see on uh steps probably wrong. They need to make an account. They hacked Robin Hood app Send Grid Twillio or somehow got a Robin Hood domain uh confirmed. Uh Robin Hood's email uh service sendrid not X. Twilio is hacked or somehow verified Robin Hood.com domain sending out fishing emails. So, everyone's starting to see this as as coming out. I don't know. I think it's uh I think this one is probably the correct one. Interesting.

[00:04:06]Interesting. I received an email from Robin Hood claiming they weren't hacked.

[00:04:09]Don't see how that's possible. Nice.

[00:04:10]They're like, "Hey, by the way, we weren't hacked." That's That's pretty good. This is This might be my favorite email of all time to be like, "Uh, no, actually, we weren't hacked. It's actually your fault, idiot." Uh, they used the user's email with an extra dot to register on Robin Hood, apparently.

[00:04:25]That's the thing. Uh, the D things are all the extra stuff you have to put in your DNS text records. Okay, that's a lot of text records. They weren't hacked. Click here. Click here to find out more. This person penetrated the server, then just decided to fish people anyways. Or did they uh or were they just sold data? my assumptions. Well, no, you can't just be sold data because the email is coming from within the house. So, it's right here. It's coming from this. So, I actually I actually thought there was a whole uh I thought there was a whole thread on this. I got this wrong. I didn't realize it was just one, but it is rather interesting that this is happening. This is what they're claiming is that this these things are happening. See, I don't know. I wish they would have had a couple extra photos for exactly how this was going on cuz this seems pretty uh pretty interesting. We previously disclosed that based on our investigation, the unauthorized party obtained a list of email addresses for approximately five million people as well as full names of different groups, approximately two million people. All right. Well, the Robin Hood thing, not that exciting. It is funny though that they are getting literally fishing emails from Robin Hood.com. And so whatever Robin Hood.com says, if they say they weren't hacked, they're lying. You cannot get fishing emails from Robin Hood.com without some level of being hacked. somehow someway somebody has figured out a way through the system. But I guess, you know, maybe they define the word being hacked, meaning that they got some sort of breach where someone got like a hold of their computer as opposed to abusing their system to produce some sort of unwanted uh outcome. So maybe that's like what they mean by we weren't hacked because they never got a hold of any system, but they abused a email system.

[00:05:51]So, okay. All right. Uh they're being exploited. I doubt they're being exploited. If you're being exploited, typically what's coming out isn't a couple fishing emails. I feel like something else would have to be done. I mean, I guess maybe you could convince me that it's exploitation, but that just seems like the weirdest exploitation.

[00:06:05]Anyways, uh would an internal bad actor account is hacking?