TL;DR – The Quick Breakdown
- Thousands of users are reporting waking up to hundreds of “Support Ticket Received” emails from companies they’ve never interacted with (Hello Games, italki, Fourth, etc.).
- Some of these emails contain terrifying messages about being “wanted by the FBI” or claims that your device is compromised.
- Zendesk has not been breached in the traditional sense. Your account is likely safe. This is a massive “Email Bomb” exploit where hackers are using legitimate company help desks to attack you.
- Do not click links. Do not reply. Mark as spam. We explain how to stop the flood below.
“I Have 800 Unread Emails”
Imagine waking up, grabbing your phone, and seeing a notification badge that usually reads “5” suddenly reading “852”. You panic. You open your mail app, and it’s a chaotic stream of subject lines:
- “Request Received: Account Suspension Imminent”
- “Ticket #99283: FBI Investigation Opened”
- “Hello Games Support: We received your request”
- “Electrocompaniet: Confirming your ticket”
This is the reality for thousands of internet users today in what is being dubbed the “Great Zendesk Spam Wave of 2026.” Reports are flooding Twitter/X, Reddit, and cybersecurity forums. Users are terrified, thinking their identity has been stolen or that they are targeted by law enforcement. One viral report reads:
“Woke up today to find out ZenDesk has been hacked once again and apparently me being wanted by the FBI… I just got EIGHT HUNDRED emails from them over the course of about an hour. They’re all scams sent from different Zendesk instances.”
If this sounds like your morning, take a deep breath. You are not under investigation. You are the victim of a sophisticated, albeit annoying, Denial of Service (DoS) attack targeting your inbox.
Who Is “Emailing” You?
This attack is unique because the emails are technically coming from legitimate servers. They pass SPF, DKIM, and DMARC checks (email authentication protocols), which is why they bypassed iCloud and Gmail spam filters.
Victims are reporting automated ticket confirmations from a bizarre mix of companies, including but not limited to:
- Hello Games (Creators of No Man’s Sky)
- italki (Language learning platform)
- Fourth (Hospitality software)
- Electrocompaniet (Audio equipment)
- Ledger (Crypto hardware wallets – ironic, given the security focus)
- Moog Music
- Glassdoor
Crucial Note: These companies have not necessarily been hacked. Their help desk software (Zendesk) is being abused. They are victims of this spam wave just as much as you are, as their support teams are currently drowning in millions of fake tickets.
How The “Zendesk Exploit” Works
To understand why this is happening, we have to look at how customer support software works. This is a classic “Reflection Attack”.
The Open Door
Many companies configure Zendesk to be as user-friendly as possible. They allow “Anonymous Ticket Creation.” This means anyone—you, me, or a bot—can go to support.examplecompany.com and submit a help request without logging in.
The Form Field Weaponization
When you fill out a support form, there is a field for “Your Email Address.” Normally, you put your own email there. However, attackers use a script (a bot) to fill out thousands of these forms on thousands of different company websites instantly.
The Catch: In the “Your Email Address” field, they don’t put their email. They put YOUR email.
The Auto-Responder Flood
Once the bot hits “Submit,” the company’s Zendesk system thinks you just asked for help. It immediately fires off an automated email to the address provided (yours):
“Thank you for contacting Support! We have received your request (Ticket #12345).”
Now, multiply this by 5,000 different companies. The attacker triggers 5,000 support desks at once. Your inbox is instantly crushed by 5,000 legitimate, high-reputation emails that Google and Apple trust.
The “FBI” Payload
Why do some emails say you are wanted by the FBI? Zendesk tickets usually include a copy of the message you “sent.” The attackers write the threat in the Body of the ticket. So, the email you receive looks like this:
From: Support @ Hello Games
To: [Your Email]
Subject: Request Received
Hello, we received your request: > “I have hacked your device and the FBI is looking for you. Pay 5 BTC to this wallet…”
It looks like Hello Games is threatening you, but they are just echoing back the text the bot typed into their form.
Why Are They Doing This? (The 3 Theories)
Security researchers are debating the motive. Why annoy random people?
Theory A: The “Smokescreen” (Most Likely)
This is a common tactic used by credit card thieves. If a hacker buys a $2,000 laptop with your stolen credit card, Amazon sends you a confirmation email. If your phone buzzes once, you see the fraud and cancel it. But if your phone buzzes 800 times in one minute, you will mute notifications or miss the one real Amazon alert hidden inside the pile of Zendesk spam. Action Item: Check your bank statements immediately.
Theory B: The “Reputation Nuke”
Competitors or trolls may be trying to destroy the email reputation of the companies involved (like Hello Games). If Hello Games sends 50,000 spam emails in an hour, Gmail might blacklist their domain, crippling their business.
Theory C: Phishing
Some of these emails contain links to “Cancel this ticket” or “View your case.” These links may redirect to malicious phishing sites designed to steal your real credentials.
Expert Analysis: Is Zendesk At Fault?
Technically, this is not a software bug in Zendesk code. It is a configuration choice.
A Renowned Cybersecurity Analyst notes:
“This is the ‘Open Relay’ problem of the 2020s. Companies want friction-less support, so they don’t use CAPTCHAs. Zendesk offers tools to prevent this, but they aren’t enabled by default. Until ‘CAPTCHA on Ticket Submission’ becomes the industry standard, this will keep happening.”
Zendesk has previously issued advisories on “Email Bombing,” recommending that admins:
- Enable CAPTCHA for anonymous requests.
- Restrict ticket submission to registered users only.
- Monitor for spikes in ticket creation.
However, many older Zendesk instances (like the ones listed above) have legacy configurations that leave them wide open.
WHAT TO DO
If you are currently under attack, follow these steps strictly.
DO NOT DELETE EVERYTHING (Yet)
This sounds counter-intuitive, but remember Theory A. The attackers might be hiding a real purchase notification.
- Search your inbox for keywords like “Bank”, “Transfer”, “Purchase”, “Amazon”, “Paypal”, “Alert”.
- Ensure no real financial crimes are happening behind the smoke.
Don’t Mark As “Spam” (Use Filters Instead)
If you mark legitimate support emails from “Hello Games” or “Glassdoor” as spam, you might permanently hurt their domain reputation or miss real support emails in the future.
- Better Move: Create a temporary filter.
- Gmail: Settings > Filters > Create New Filter.
- Criteria: Has the words “Request Received” OR “Ticket received”.
- Action: “Skip Inbox (Archive it)” or “Apply Label: Zendesk Spam”.
Check HaveIBeenPwned
Your email address was likely picked up from a database leak. Check HaveIBeenPwned.com to see where your data might have leaked recently.
Wait It Out
These attacks cost the attackers computing power and proxy bandwidth. They rarely last more than 24-48 hours. The flood will stop.
How To Stop Your Zendesk From Being Used
If you are reading this and you run a Zendesk instance for your company, check your logs immediately. If you see a spike in tickets from random emails, you are being used as a weapon.
Immediate Mitigation:
- Turn on CAPTCHA: Go to Admin Center > People > Configuration > End Users > Enable CAPTCHA.
- Close Open Tickets: Temporarily disable “Anyone can submit tickets” if the attack is severe.
- Review Triggers: Ensure your auto-responders don’t echo back the full ticket body content if it contains suspicious keywords/hashes.
The New Normal of Cyber-Annoyance
The “Zendesk Hack” of 2026 isn’t a hack of a company, but a hack of the system of trust we built for customer service. As long as we value convenience over security, open forms will be weaponized.
If you received 800 emails today, pour yourself a coffee, check your bank account, and set up a filter. The internet is just having a tantrum. You are safe.
Frequently Asked Questions (FAQs)
Was Zendesk actually hacked?
Zendesk’s core databases have not been breached. This is an abuse of the “Public Ticket Submission” feature on individual company accounts hosted by Zendesk.
Am I really wanted by the FBI?
No. The attackers typed that threat into the message body. The email is legitimate, but the text inside is a lie fabricated by the bot.
Why did iCloud/Gmail let these through?
Because the emails are coming from real, high-reputation domains (like legitimate companies). Spam filters look at who sent the email. Since “Hello Games” is a real company with a good reputation, the filter trusts it.
Should I delete my email account?
No! That is an overreaction. The spam will stop. Just filter it for now.
Can this hack my phone?
Possibly, only if you click the links inside the emails and download a file. If you just open the email to read it, you are generally safe on modern devices (iOS/Android).
Disclaimer: This article is for informational purposes only. If you suspect financial fraud, contact your bank immediately.
