Why Did Zerodha CEO Nithin Kamath Fall for an AI Phishing Attack Despite 2FA?
Zerodha’s co-founder and CEO, Nithin Kamath, known for his strong advocacy of cybersecurity and digital hygiene, unexpectedly became a victim of a sophisticated AI-driven phishing attack. The incident has reignited concerns about the rising complexity of social engineering tactics, even among tech-savvy leaders.
About Zerodha and the Incident
Zerodha is India’s largest retail brokerage firm, with millions of investors using its platform daily. Its co-founder, Nithin Kamath, is widely regarded for promoting financial literacy and robust cybersecurity practices.
However, on October 15, 2025, Kamath’s personal X (formerly Twitter) account was compromised after he fell for an AI-generated phishing email. Despite using two-factor authentication (2FA), attackers gained temporary access to one of his active sessions and used it to post scam cryptocurrency links to his 740,000 followers.
How the Attack Unfolded
The breach began when Kamath received an email titled “Change Your Password” that appeared to come from X’s security team. The email bypassed spam filters using realistic formatting and AI-generated metadata that mimicked genuine communications. The phishing link redirected him to a convincing clone of the X login page, leading to credential compromise.
Once the attackers obtained credentials, they leveraged a single authorized session to post crypto scam links. The account was quickly secured, and the posts were removed within an hour after Kamath’s intervention.
Rising Threat of AI-Based Phishing
Experts suggest that AI is making phishing harder to detect by generating highly personalized and context-aware content. Phishing attempts now include perfect grammar, authentic domain lookalikes, and convincing user-agent data.
Cybersecurity researchers warn that even experienced users can be deceived by these new-generation attacks. This highlights the need for behavioral vigilance beyond technical safeguards such as 2FA.
What Investors and Startups Can Learn
The Zerodha incident serves as a reminder that digital threats evolve faster than defenses. Startups handling sensitive client data must invest in AI-based email filtering systems and conduct regular security awareness drills.
Kamath has since shared his experience publicly, urging users to verify email sources manually and avoid clicking links even in urgent-looking messages.
For daily expert perspectives on evolving market dynamics and cybersecurity insights, explore our trading guidance section below:
Investor Takeaway
Even leaders in finance and technology are not immune to social engineering. The takeaway for investors and professionals alike is to combine digital literacy with practical caution. Relying solely on tools like 2FA is no longer sufficient in the age of AI-generated threats.
Stay informed about cybersecurity and financial market updates through the insights shared at Indian-Share-Tips.com, which is a SEBI Registered Advisory Services.
SEBI Disclaimer: The information provided in this post is for informational purposes only and should not be construed as investment advice. Readers must perform their own due diligence and consult a registered investment advisor before making any investment decisions. The views expressed are general in nature and may not suit individual investment objectives or financial situations.
