Bengaluru — Remember, even the most vigilant individuals can fall prey to sophisticated cyberattacks. Zerodha co-founder and CEO Nithin Kamath revealed that his personal X (formerly Twitter) account was hacked after he clicked on a deceptive phishing email.
Kamath, who has long been a vocal advocate for cybersecurity and digital awareness, admitted that the breach occurred due to “a momentary lapse in attention.” The incident has reignited conversations about the growing sophistication of phishing scams and the need for human-focused cybersecurity strategies.
The Breach: AI-Driven Phishing Attack Bypasses Filters
According to Kamath’s post, the attack happened early Wednesday morning while he was browsing on his personal device. The phishing email crafted to look authentic slipped past spam and phishing filters and appeared to come from a trusted source.
Believing it to be legitimate, Kamath clicked on a link labeled “Change Your Password” and entered his credentials. This allowed attackers to gain access to one active login session, which they used to post scam cryptocurrency links from his account.
“Luckily, they couldn’t take over the full account apart from gaining access to the one session from the phishing flow,” Kamath wrote, crediting two-factor authentication (2FA) for preventing a full account compromise.
He added that the attack appeared to be “fully AI-automated and not personal,” suggesting that machine learning tools were used to bypass filters and mimic legitimate emails a growing trend in global cybercrime.
Human Error: ‘No Matter How Careful We Are…’
Reflecting on the incident, Kamath emphasised that even the best technical safeguards cannot fully eliminate the risk of human error.
“No matter how careful we are, all it takes is one slip of the mind,” he wrote.
He noted that cybersecurity must extend beyond technical infrastructure to include processes, policies, and awareness programs that address human psychology — “the weakest link” in the security chain.
Kamath candidly acknowledged that despite Zerodha’s internal cybersecurity practices, including regular awareness campaigns, he still fell for a well-crafted phishing message.
“Despite awareness, policies, systems, and conversations at Zerodha on these risks on a regular basis, all it took was one slight slip of the mind,” he said.
A Wake-Up Call for Individuals and Organisations
Experts say Kamath’s experience reflects a growing cybersecurity challenge AI-assisted social engineering attacks that use convincing, automated phishing messages to trick even security-conscious users.
FCRF Launches CCLP Program to Train India’s Next Generation of Cyber Law Practitioners
Cybersecurity specialists have warned that generative AI can now produce context-aware phishing emails, spoofing official domains and communication patterns so accurately that traditional filters fail to detect them.
Kamath’s admission, coming from a fintech industry leader, has sparked conversations across India’s tech ecosystem about building resilient human systems alongside technological defences.
He urged companies and government agencies to adopt holistic cybersecurity frameworks that go beyond password policies and 2FA, integrating behavioural science, training, and human error modeling into their protocols.
Cyber Hygiene Lessons From the Incident
Kamath’s experience serves as a timely reminder for individuals and organisations alike:
- Always verify sender domains before clicking links in emails, even if they appear legitimate.
- Use multi-factor authentication across all platforms while it may not prevent session hijacking, it can block total compromise.
- Review account sessions regularly and revoke suspicious logins immediately.
- Educate teams on phishing awareness through periodic simulated exercises.
