Zerodha CEO Nithin Kamath’s X account hacked after phishing email click

BENGALURU: Zerodha co-founder and CEO Nithin Kamath revealed on Wednesday that his personal account on social media platform X (formerly Twitter) was hacked after he accidentally clicked on a phishing email, triggering a conversation on cybersecurity awareness and human error.

In a detailed post shared on X, Kamath said the incident took place early Wednesday morning while he was browsing on his personal device at home. The email, he said, “got through all spam and phishing filters,” and in a “momentary lapse in attention,” he clicked on a ‘Change Your Password’ link and entered his login credentials.

“The attackers gained access to a single login session, using it to tweet a few scammy cryptocurrency links,” Kamath explained.

He clarified that the damage was contained because he had two-factor authentication (2FA) enabled, which prevented the hackers from gaining full control of his account.

Attack appeared AI-driven, not targeted

Kamath said the phishing attack appeared to be fully AI-automated rather than a targeted attempt against him personally.

“It goes on to show that no matter how careful we are, all it takes is one slip of the mind,” he wrote.

The incident underscores a rising trend in AI-powered phishing attacks, which mimic legitimate corporate or platform communications with high accuracy. Cybersecurity experts have warned that such attacks are becoming increasingly sophisticated, often bypassing traditional spam filters.

Kamath calls for holistic cybersecurity practices

Reflecting on the experience, Kamath emphasised that technical defences like 2FA alone are not enough. He urged individuals and organisations to adopt a holistic cybersecurity framework that accounts for human psychology — the “weakest link” in most systems.

“As important as technical cybersecurity are human processes, policies, and procedures that account for worst-case scenarios and the psychology of the weakest link, which is us,” Kamath noted.

He added that even though Zerodha regularly conducts awareness and policy sessions on online security, he still fell for the phishing link.

“Despite awareness, policies, systems, and conversations at Zerodha on these risks on a regular basis, all it took was one slight slip of the mind,” he said.

Kamath’s candid admission resonated across social media, as users praised his transparency and the reminder that cybersecurity failures can happen to anyone, regardless of technical expertise.

Phishing and the human factor

Phishing attacks — fraudulent attempts to obtain sensitive information by impersonating trusted entities — have been on the rise in India. According to CERT-In (Indian Computer Emergency Response Team), phishing and digital fraud incidents surged by nearly 30% in 2024, targeting not just individuals but also fintech and government portals.

Experts say the increased use of AI and automation has made phishing emails more convincing, allowing them to slip past standard security filters. These attacks often employ cloned login pages, urgent language, and official-looking branding to lure victims.

“Even the best spam filters can’t detect every cleverly crafted message. That’s why user training and awareness are as critical as firewalls or 2FA,” said a Bengaluru-based cybersecurity consultant.

Social media users react

Kamath’s post sparked widespread discussion on X, with many users sharing their own experiences with phishing emails.

“I get 1–3 of these emails daily. It’s insane. X needs to fix this. Haven’t fallen for one and hope I never do, but it’s very easy to slip,” one user commented.

Another wrote, “There are many such phishing emails coming in lately. The biggest question is, how did they get our email addresses? We never publicly shared them!”

A third user summed up the sentiment succinctly:

“Even Nithin Kamath proves it — cybersecurity isn’t just about firewalls and 2FA. One distracted morning and suddenly the internet knows your crypto secrets. Humans are the ultimate malware.”

Growing phishing risks for Indian businesses

India’s rapidly digitising financial and startup ecosystem has become a prime target for cybercriminals, especially those using phishing to infiltrate business and personal accounts.

A recent report by Kaspersky noted that over 70% of Indian enterprises reported at least one phishing attempt in the past year, with most attacks focusing on financial institutions, stockbrokers, and tech entrepreneurs.

Zerodha, India’s largest retail brokerage, handles millions of client accounts, and Kamath’s openness about the hack may prompt other industry leaders to reassess their digital hygiene practices.

Conclusion

Kamath’s admission serves as a timely reminder that cybersecurity is not merely a technical challenge but a human one. Even the most tech-savvy individuals are susceptible to split-second lapses in judgment. As phishing tactics become more AI-driven and realistic, experts urge both individuals and companies to implement layered security systems, continuous awareness training, and cautious digital behaviour.