Robinhood Hackers Stole From the Rich (And Gave to Themselves)

Robinhood Hackers Stole From the Rich (And Gave to Themselves)
Photo: Jim Watson, Getty Images

On top of the regulatory probes, risky revenue sources, and at least one suicide tracing back to its app, it looks like stock-brokering startup Robinhood has another major problem. Well, actually, two: The first is that the app’s quickly become a popular target for hackers looking to game its users out of thousands of dollars a pop. The second problem is that these customers have nowhere to turn when that happens.

That’s according to a new Bloomberg report detailing the trials some of these users went through when they tried — and ultimately failed? — to get their funds back. According to the five sources, who altogether lost close to $US20,000 ($27,636) in liquidated stocks, the company isn’t only acting far too slowly to keep this sort of fraud from happening, but also seems to willingly discourage those who were hacked from reaching out at all.

Here’s how the cash-siphoning works: After a Robinhooder liquidates their stock of choice, they can transfer those spoils — up to $US50,000 ($69,090) per day, according to the company’s terms — in one of two ways: either to the account that user already has linked to Robinhood’s systems, or to another bank account entirely. It’s an option that might be handy if you, say, have a personal checking account that you use to pour money into the app, but you want to transfer those resulting funds into a different joint account that you share with your partner. But if a bad actor’s able to get their hands on the account info of the Robinhooder in question, all they need to do is sign in under their name and reroute those funds into their own pockets instead.

It’s a super simple scam that Robinhood, for its part, has done the bare minimum to prevent. The company’s terms surrounding cash withdrawals made to one of these unlinked banks say that when one of these transfers gets started, Robinhood’s support team might ask the transferer why they’re “unable or unwilling to withdraw to the bank account [they] originally deposited funds from,” and might ask them for a government-issued ID, and a few bank statements proving that they’re the official owner of both accounts.

“Might” being the keyword here. The Bloomberg story describes one case where a Robinhooder desperately tried contacting the app’s support staff after noticing that $US10,000 ($13,818) in cash were pending delivery to an account that wasn’t hers. Rather than putting that transfer on hold, Robinhood told her that it would “investigate” the case and respond within “a few weeks.” Naturally, she never heard back. And because, in spite of the company’s recent boasts that it was filling its support team to record numbers, the company very noticeably doesn’t list any number for folks seeking customer support.

In a statement to Bloomberg, the company said that the hacked accounts were, in a sense, not their fault:

“A limited number of customers appear to have had their Robinhood account targeted by cyber criminals because of their personal email account (that which is associated with their Robinhood account) being compromised outside of Robinhood,” a spokesman for the company said in an email. “We’re actively working with those impacted to secure their accounts.”

But according to some of those who were hacked, that response doesn’t really track: either because they used a unique password for their Robinhood account, or because their accounts on other platforms that use the same email addresses are, mysteriously, untouched. In other words, if a phishing scheme snaps up someone’s email and password, and that combo’s being used in a handful of apps alongside Robinhood, you wouldn’t see the scammer ignoring the rest.

We’ve reached out to Robinhood for comment and will update our report here if we hear back.