Robinhood suffers phishing attempt ahead of quarterly earnings
MEGA
SCLP
HOOD
HOOD
SCA
"Ain't no rest for the wicked."
The last weekend of April continued to be a restless one as back-to-back attacks and exploits came into light.
One of the most classic attempts at phishing was exposed for Robinhood (Nasdaq: HOOD).
On April 26, multiple Robinhood customers alerted on X that they were receiving mail alerts from the official "[email protected]."
The mail read a subject line "Your recent login to Robinhood." The mail would look like an alert on "Unrecognized Activity Detected on your Account" with a "Review Activity Now" clickable button.
Each of the mail read that there were changes detected in the user's account and the login device was an iPhone 17 Pro.
Users immediately alerted on X about the mails and soon the phishing attempt was revealed.
Related: Elon Musk’s X to auto-lock first-time crypto posts to curb phishing
How it worked
Attackers created or modified a Robinhood account in a way that allowed them to inject code or links into the device name field.
Robinhood's system then pulled that unfiltered field directly into its automated "recent login" email template.
As a result, users received legitimate-looking alerts that included a malicious "Review activity" button.
Clicking the link led to a fake login page that asked for usernames, passwords, and sometimes two-factor codes, giving attackers everything they needed for an account takeover.
Robinhood issued a warning on the same day, urging users to delete the emails and avoid clicking on suspicious links. For users who had already clicked and were facing trouble, Robinhood asked them to contact the company immediately.
Robinhood further wrote on X,
"This phishing attempt was made possible by an abuse of the account creation flow. It was not a breach of our systems or customer accounts, and personal information and funds were not impacted."
The phishing attempt also comes just two days before it announces its earnings for the first quarter of 2026. It is scheduled for April 28 after market hours.
Crypto chaos continues for another weekend
The last two weekends have not been kind to crypto. From Drift exploit to KelpDAO, malicious actors continued attacking crypto projects and firms for the last weekend of April as well.
Robinhood was not the only one who experienced an exploit attempt on Sunday.
Purrlend:
Lending protocol Purrlend paused operations on April 25, Saturday, after detecting irregular activity across its deployments on MegaETH and HyperEVM. These are two newer, speed-focused blockchain networks.
MegaETH is an Ethereum layer-2 backed by co-founder Vitalik Buterin that launched its public mainnet in February. HyperEVM is the smart contract layer of Hyperliquid, a blockchain built primarily for trading.
Purrlend runs on both as a lending platform, where users deposit crypto to earn interest or borrow against their holdings.
Attackers drained roughly $1.2 million from HyperEVM, mostly dollar-pegged stablecoins, including 449,683 USDC, 214,125 USDT0, and 194,745 USDH, plus smaller amounts of tokenized Bitcoin and wrapped tokens.
MegaETH lost another $324,549 in USDT0, WETH, and USDm. Total losses were approximately $1.52 million.
The exploiter's wallet addresses are visible on both networks' public block explorers. But no funds have been recovered.
More from TheStreet Roundtable:
- Major DeFi hack becomes the largest of 2026 yet
- Tether freezes $344 million tied to illicit activity
- Treasury Secretary Bessent introduces new plan to combat money laundering
Litecoin:
On Saturday, a few hours later, Litecoin's network underwent a 13-block reorganization after a zero-day vulnerability was exploited.
A reorganization (or "reorg") is when the network backtracks and rewrites recent blocks or transactions on the blockchain.
A zero-day vulnerability is a flaw that no one knew existed until someone exploited it.
Attackers figured out such a vulnerability in Litecoin's MimbleWimble Extension Block (MWEB) privacy layer. It is a feature Litecoin added to let users send transactions more privately, hiding amounts and addresses.
The bug was patched within hours, as alerted by the Litecoin team on X. Although no funds were permanently stolen, the event exposed coordination gaps and raised questions about the security of newer features among some users.
Scallop (Sui):
Scallop, Sui's largest lending protocol, suffered an exploit on Sunday. This resulted in approximately $140,000 in losses.
Following the breach, the Scallop team froze affected contracts, identified the vulnerability, and restored operations. User deposits remained unaffected.
The attacker targeted an old and forgotten V2 contract deployed in November 2023 that remained accessible on-chain under Sui's immutable design.
Rather than using standard SDK pathways, they interacted directly with the older contract version.
By staking 136,000 sSUI (a staked version of Sui's native token), the attacker manipulated the system's verification logic to receive massively inflated rewards, effectively draining the side pool.
Additionally, the attacker briefly tampered with Scallop's price feeds, skewing SUI/USDC rates to borrow assets cheaply before repaying a flash loan in a single transaction block.
The attacker has reportedly offered to return 80% of the funds in exchange for a bounty, though Scallop has not yet confirmed an agreement.
Scallop later announced the unfreezing of the core contracts and assured that the user deposits and funds remain unimpacted. Withdrawals and deposits are now operating normally.
TheStreet Roundtable has reached out to Robinhood, Purrlend, Litecoin, Scallop, and Sui for comments and has not received responses at the time of publication.
