Zerodha co-founder and CEO Nithin Kamath revealed that his X (formerly Twitter) account was briefly compromised on on the morning of October 15 after he fell victim to a sophisticated phishing attack. The incident occurred despite having two-factor authentication enabled and being well-versed in cybersecurity practices, highlighting how even tech-savvy individuals can become targets of increasingly sophisticated cyber threats.Kamath disclosed to his 7.4 lakh followers that he clicked on a “Change Your Password” link in a phishing email that bypassed all spam and security filters while browsing on his personal device early in the morning. The attackers gained access to a single login session and posted several cryptocurrency-related scam links from his account before he could regain control.The phishing email closely mimicked legitimate X security alerts, creating a sense of urgency that caught even the experienced entrepreneur off guard during a momentary lapse in attention. The message appeared authentic enough to deceive someone who regularly deals with cybersecurity concerns at one of India’s largest brokerage firms.

Two-factor authentication prevents complete account takeover

Fortunately, Kamath had two-factor authentication activated, which prevented the hackers from taking full control of his account or accessing it from additional devices. He noted that the attack appeared to be “fully AI-automated and not personal,” suggesting the use of artificial intelligence in crafting convincing phishing emails that can evade traditional security filters.This represents a growing trend where cybercriminals leverage AI technology to create more sophisticated and believable phishing campaigns that can fool even security-conscious users.

Human error remains cybersecurity’s weakest link, says Kamath

Reflecting on the incident, Kamath emphasised that “all it takes is one slip of the mind” and stressed the importance of holistic cybersecurity frameworks that account for human psychology beyond just technical solutions. “2FA is absolutely essential, but clearly, it is not a technical solution to human psychology,” he wrote, calling for organisations and governments to implement comprehensive security measures that include human processes, policies, and procedures.Despite regular cybersecurity awareness conversations at Zerodha, Kamath acknowledged that even the most prepared individuals remain vulnerable to sophisticated phishing attacks. The compromised posts were quickly removed, and account access was restored shortly after the breach.