Hackers are targeting accounts on Robinhood, the popular online brokerage service, with the ultimate goal of stealing customer funds, according to a wide spanning review of criminal forums and Telegram groups by 404 Media. Hackers are also advertising compromised Robinhood accounts for sale as part of that process.
The news shows how a complex ecosystem of hackers all offering different services—harvesting the email address and passwords; expertise on moving the funds; and developers who make tools to intercept multi-factor authentication codes—all come together to target unsuspecting Robinhood users.
“Send me all yo Robinhoods. Instant cashout,” one message in a fraud-focused Telegram group reads. “Btw cashing all Robinhoods rn,” adds another.
Robinhood positions itself as an accessible brokerage app that lets even the inexperienced enter the stock market. The app also offers the ability to buy and sell cryptocurrency, with some fraudsters specifically looking for Robinhood accounts that have this feature enabled.
404 Media found members of a wide range of popular fraud and hacking Telegram channels talking about the trade and monetization of Robinhood accounts. Some of the members advertised “FA,” or full access, Robinhood accounts for as little as $2 or $3. An online store offering such accounts claims it has sold access to more than a hundred. Posts on underground forums suggest at least some of these accounts may have been obtained by using a config—a configuration file for a piece of software that rapidly churns through re-used passwords against a particular site, all in the hope that a victim has used the same password, letting the hacker in.
In criminal hacking communities, often one person will sell accounts, while another will buy them to then extract whatever value they can. With that in mind, another set of users then offers help with cashing out those compromised Robinhood accounts. In one case, a fraudster said in one message they take a cut of 15 to 50 percent, depending on the balance of the account. Often, the person advertising these services say they can also cash out accounts from Coinbase, the cryptocurrency exchange which is a particularly fruitful target for hackers. Multiple users have uploaded screenshots showing what they suggest is the hackers logged into a victim’s Robinhood account, showing thousands or tens of thousands of portfolio value.
As part of cashing out, developers of so-called one time password bots specifically advertise their ability to circumvent Robinhood’s protections. I’ve previously covered the rise of these bots, which automatically place phone calls to targets, use convincing voices to trick victims into thinking the call is from the legitimate company, and then harvest the victim’s multi-factor authentication code once they enter it into their phone's touchpad. Armed with that, a hacker may be better positioned to monetize the account. These bots are also designed to harvest codes generated by apps, and not just those sent by SMS.
In a post to Telegram, a developer of one of these bots claimed their product was used to access a Robinhood account worth $14,000. In another post, they claimed the bot was used to access a second one worth $8,000.
A Robinhood spokesperson told 404 Media in a statement that “There is no indication at this time that this is the result of a compromise of Robinhood’s systems. Robinhood has multiple controls in place in order to ensure the safety and security of customer accounts on the platform. For example, all Robinhood customers are defaulted into our trusted device program, a form of mandatory 2FA, with additional authentication requirements in place for specific products like crypto transfers.”
“In addition, Robinhood identifies and analyzes external threats, and regularly monitors for and investigates potentially unauthorized activity on its platform. Where we may suspect potentially unauthorized activity, we work with the customer to help secure and protect their account and resolve any issues,” the statement added.
“Just did a $14k robin.”
Additionally, Robinhood said it often sees what it described as unverified claims like these online.
Robinhood said that the adverts offering accounts for sale are unverified, but 404 Media confirmed that some details being distributed by members of underground forums do correspond to real accounts on the brokerage service. In one case, a forum user posted a series of email addresses and passwords for what they said were Robinhood accounts in September. 404 Media verified that some of the email addresses were in use on Robinhood accounts by attempting to make new accounts with them. “A user with this email already exists,” Robinhood’s account creation page said in response.
In 2021, Robinhood announced hackers had managed to steal millions of customers’ email addresses and names.
“Just did a $14k robin,” one Telegram user wrote.