In a surprising revelation, Zerodha’s co-founder and CEO, Nithin Kamath, admitted on Thursday that his personal X (formerly Twitter) account was briefly compromised after he clicked on a phishing email. The incident, which he described as a “momentary lapse in attention,” has reignited discussions on the growing sophistication of cyberattacks and the critical need for more human-centred cybersecurity frameworks.
Credits: Mint
A Costly Morning Click
Kamath shared on X that he fell for what appeared to be a legitimate “Change Your Password” email early in the morning. The email, he said, managed to bypass all spam and phishing filters, reaching his primary inbox undetected. Trusting the source, Kamath clicked the link—unwittingly granting attackers access to one active session of his account.
Despite having two-factor authentication (2FA) enabled, the hackers used that session to post scam cryptocurrency links. Fortunately, they did not gain full control of the account. Kamath quickly regained access and contained the breach.
“It was a momentary lapse in attention,” he confessed. “The e-mail got through all spam and phishing filters.”
“Fully AI-Automated, Not Personal”
What made this attack stand out, Kamath said, was its AI-driven precision. The phishing email was not a mass spam attempt—it was intelligently designed, context-aware, and convincing enough to fool even a cybersecurity-conscious individual like him.
Kamath suggested that the phishing attack was likely “fully AI-automated and not personal,” underscoring how artificial intelligence is transforming the cyber threat landscape. Automated phishing tools can now mimic legitimate communication styles, brands, and security prompts with startling accuracy.
The Zerodha CEO’s candid admission serves as a warning: even industry leaders and digital natives are not immune to AI-enhanced scams that exploit human psychology rather than technical vulnerabilities.
When 2FA Isn’t Enough
Kamath’s post also sheds light on a growing misconception around two-factor authentication. While 2FA significantly reduces risk, it cannot protect users from session hijacking—a technique where attackers gain access to an already authenticated session.
“2FA is absolutely essential,” Kamath noted, “but clearly, it is not a technical solution to human psychology.”
The attack demonstrated that even layered security systems can be compromised if a user unknowingly initiates a malicious action. In Kamath’s case, all it took was a single misplaced click—proof that human behaviour remains the weakest link in cybersecurity.
A Call for Human-Centred Security
Kamath used the incident as an opportunity to advocate for holistic cybersecurity frameworks—ones that go beyond firewalls, filters, and encryption to also address human fallibility.
“As important as technical cybersecurity are human processes, policies, and procedures that account for worst-case scenarios and the psychology of the weakest link—which is us,” he wrote.
He emphasized that cybersecurity training shouldn’t just be about compliance checklists but should actively simulate real-world scenarios where emotional and cognitive biases can lead to risky behaviour.
“Despite awareness, policies, systems, and conversations at Zerodha on these risks on a regular basis,” Kamath admitted, “all it took was one slight slip of the mind.”
Credits: Times Now
Lessons from the Breach
The incident serves as a sobering reminder that no amount of technical defence can fully eliminate human error. Even the most vigilant professionals can fall prey to AI-powered phishing when attention lapses.
Kamath’s openness about his mistake has been widely praised online for breaking the stigma around cybersecurity incidents. By sharing his experience publicly, he’s encouraged other leaders and organizations to rethink their approach—not as one purely reliant on technology, but one rooted in understanding and protecting human behaviour.
In an age where cybercriminals use AI to exploit the smallest human error, Kamath’s experience is more than a personal cautionary tale—it’s a wake-up call for the entire digital ecosystem.
