Ripple's Chief Technology Officer Emeritus, David Schwartz, has sounded the alarm over an emerging phishing scam targeting Robinhood users, warning that even emails appearing to originate directly from the platform's official systems should not be trusted.
Although phishing schemes are not uncommon in the crypto ecosystem, the tactic behind this particular attack is notably deceptive and less frequently encountered.
In a public statement, Schwartz — widely known online as "JoelKatz" — wrote: "WARNING: Any emails you get that appear to be from Robinhood (and may actually be from their email system) are phishing attempts," posting the warning on April 27, 2026.
Schwartz emphasized that the fraudulent messages may actually be transmitted through Robinhood's genuine email infrastructure, making them significantly more convincing than typical scam attempts. To illustrate his concern, he shared images of one such malicious email, which appeared entirely legitimate at first glance — complete with login details, device information, and a prompt urging the recipient to review unrecognized account activity.
On the surface, the email displayed all the hallmarks of an authentic security alert from the platform. However, Schwartz and subsequent community discussion revealed that something more sophisticated was occurring behind the scenes.
The warning quickly sparked concern among the broader crypto community, with users questioning how a company of Robinhood's scale could have its official email system implicated in a phishing campaign. Schwartz acknowledged he did not have a confirmed explanation, but noted that early signs point to something more subtle than a straightforward hack. According to him, attackers appear to have found a method to inject malicious content directly into Robinhood's own notification system, rather than simply spoofing the sender address — a distinction that makes the scheme considerably harder for users to detect.
Why it matters
Because the fraudulent emails may pass through Robinhood's actual email infrastructure, standard authentication checks that users and email clients rely on — such as verifying the sender domain — may not flag these messages as suspicious, removing a key layer of protection.
The suspected attack vector — injecting malicious content into a platform's own notification system rather than spoofing a sender address — is technically distinct from common phishing and may not be caught by conventional spam or phishing filters.
Users who follow the general advice of "check the sender address" to identify phishing attempts may be more vulnerable here, since that heuristic does not apply when the sending infrastructure itself is implicated.
