'One slip of the mind': Zerodha's Nithin Kamath falls for a phishing scam. Here's what happened
“As important as technical cybersecurity, are human processes, policies, procedures that account for worst-case scenarios and the psychology of the weakest link — which is us.”
- Oct 16, 2025,
- Updated Oct 16, 2025 2:56 PM IST
Zerodha co-founder Nithin Kamath's personal X account was compromised after falling for a phishing email despite having two-factor authentication and strong cybersecurity protocols in place.
In a post, Kamath shared how a momentary lapse in attention led him to click a “Change Your Password” link in a phishing email disguised as a legitimate X security alert. The attackers gained access to one active session, using it to post scam cryptocurrency links from his account.
“This e-mail got through all spam and phishing filters,” Kamath wrote. “I clicked on the 'Change Your Password' link and entered the password. The attackers gained access to a single login session... I had 2FA enabled, so luckily, they couldn't take over the full account.”
He added that the breach appeared to be fully AI-automated, not personally targeted.
Kamath used the incident to underline a broader point: that technical defenses alone aren’t enough. “All it takes is one slip of the mind,” he wrote.
“As important as technical cybersecurity, are human processes, policies, procedures that account for worst-case scenarios and the psychology of the weakest link — which is us.”
Despite regular internal conversations on cybersecurity at Zerodha, Kamath acknowledged that awareness doesn’t guarantee immunity. “2FA is absolutely essential, but clearly, it is not a technical solution to human psychology,” he added.
The phishing email, seen in a screenshot, closely mimicked X’s real alerts, claiming a login from Delhi on a Chrome desktop. It urged the recipient to verify their identity or change their password — a tactic that even a seasoned tech entrepreneur fell for.
Kamath’s takeaway: cybersecurity needs to be holistic — blending tech with behavioral safeguards — because the weakest link often isn’t software. It’s human.
Zerodha co-founder Nithin Kamath's personal X account was compromised after falling for a phishing email despite having two-factor authentication and strong cybersecurity protocols in place.
In a post, Kamath shared how a momentary lapse in attention led him to click a “Change Your Password” link in a phishing email disguised as a legitimate X security alert. The attackers gained access to one active session, using it to post scam cryptocurrency links from his account.
“This e-mail got through all spam and phishing filters,” Kamath wrote. “I clicked on the 'Change Your Password' link and entered the password. The attackers gained access to a single login session... I had 2FA enabled, so luckily, they couldn't take over the full account.”
He added that the breach appeared to be fully AI-automated, not personally targeted.
Kamath used the incident to underline a broader point: that technical defenses alone aren’t enough. “All it takes is one slip of the mind,” he wrote.
“As important as technical cybersecurity, are human processes, policies, procedures that account for worst-case scenarios and the psychology of the weakest link — which is us.”
Despite regular internal conversations on cybersecurity at Zerodha, Kamath acknowledged that awareness doesn’t guarantee immunity. “2FA is absolutely essential, but clearly, it is not a technical solution to human psychology,” he added.
The phishing email, seen in a screenshot, closely mimicked X’s real alerts, claiming a login from Delhi on a Chrome desktop. It urged the recipient to verify their identity or change their password — a tactic that even a seasoned tech entrepreneur fell for.
Kamath’s takeaway: cybersecurity needs to be holistic — blending tech with behavioral safeguards — because the weakest link often isn’t software. It’s human.