949 Bots Exploit Verified Email Domain to Phish 14,500
Key insights
- Attackers created 949 bot accounts in three hours, exploiting a verified Resend email domain without touching any codebase or credentials.
- All 14,520 phishing emails bypassed sender-reputation filters because they originated from the project's legitimate, verified domain.
- The developer mitigated by revoking API keys and mass-deleting accounts, but open signup attached to verified domains remains an industry-wide risk.
Why this matters
Open source projects increasingly rely on verified third-party email infrastructure like Resend, and this attack proves that an open signup flow combined with a verified sending domain is a ready-made phishing rail requiring no exploit or compromise. For founders building any multi-tenant SaaS or developer tool with invitation flows, the risk is structural: your verified domain becomes your attacker's asset the moment account creation is unrestricted. This incident signals that email deliverability partnerships need to be paired with rate limiting and bot detection at signup, or the trust infrastructure built to improve deliverability becomes a weapon against recipients.
Summary
On May 28, 949 bot accounts registered on a developer's open source project within three hours and used its verified Resend email domain to send 14,520 phishing invitations to strangers.
The attack required no code access. Bots created workspaces named with scam subject lines, triggering legitimate invitation emails from a verified domain. Recipients saw real sender addresses and real site links with no spoofing signals for filters to catch.
Essentially: (Resend, open source maintainer) open signup plus a verified sending domain equals a ready-made phishing rail.
- 14,520 emails cleared spam filters because sender domain and destination were both legitimate
- 949 bot accounts were created and purged within a three-hour window on May 28
- Mitigation required manual API key revocation and mass account deletion by the maintainer
Verified email infrastructure attached to unverified signup is a structural attack surface, not an edge case.
Potential risks and opportunities
Risks
- Other open source projects using Resend or similar verified email services face copycat attacks now that this exploitation path is publicly documented with a working playbook
- Resend's sender reputation with major mail providers could erode if phishing volume triggers domain-level flagging, degrading deliverability for all legitimate users on its shared infrastructure
- The developer may face legal exposure if any of the 14,520 recipients suffered financial harm and regulators treat the project as the responsible sending party under applicable anti-spam law
Opportunities
- Bot detection vendors (Arkose Labs, Cloudflare Turnstile, Kasada) have a concrete, public incident to use when pitching signup fraud prevention to open source maintainers and SaaS founders
- Email infrastructure providers including Resend, SendGrid, and Postmark could differentiate by building workspace-name anomaly detection that flags scam-pattern content at account creation before any email is dispatched
- Security-focused SaaS tooling startups gain a documented case for selling invitation rate limiting and abuse reporting dashboards as default features to multi-tenant developer platform founders
What we don't know yet
- Whether Resend has updated its terms or added API-level rate limits to prevent similar abuse on other projects using its verified sending domains
- Whether the 14,520 targeted recipients were randomly harvested or drawn from a specific list, and how many may have acted on the phishing emails before mitigation
- Whether the project has since implemented signup verification or invitation rate limits, or whether the architectural gap remains open to repeat attacks
Originally reported by andrej.sh
Read the original article →Original headline: Developer Discloses How 949 Bot Accounts Weaponized His Open Source Project to Phish 14,500 People in Three Hours