Dear Sophie: Can I start a company or a side hustle on a TN visa?

Here’s another edition of “Dear Sophie,” the advice column that answers immigration-related questions about working at technology companies.

“Your questions are vital to the spread of knowledge that allows people all over the world to rise above borders and pursue their dreams,” says Sophie Alcorn, a Silicon Valley immigration attorney. “Whether you’re in people ops, a founder or seeking a job in Silicon Valley, I would love to answer your questions in my next column.”

TechCrunch+ members receive access to weekly “Dear Sophie” columns; use promo code ALCORN to purchase a one- or two-year subscription for 50% off.

Dear Sophie:

I’m a Canadian citizen working under a TN visa as a software engineer in the U.S. I want to start my own company or at least earn money through a side hustle. Is this possible on my TN, or is the only way I can do that via a green card? If so, is it possible to get permanent residence since the TN is for non-immigrant intent?

— Clever Canadian

Dear Clever,

There are many things that the modern U.S. immigration system was not designed for, including (but not limited to): the internet, e-filing and blockchain, working remotely, working from home, the modern gig economy, startups, flexible work arrangements, contractor work, and the gig economy.

You may know that our current system of laws was generally created by the Immigration and Nationality Act in 1952, back when everything was much simpler The legal history at play here includes judges making decisions about tailors from China sailing to San Francisco to take measurements for suits that would be sewn months later when they returned home.

I’ll get straight to the point: you cannot do any work under your TN for anyone other than the employer that sponsored you for the TN. So, my educational message is this: no side hustles or founding of startups while on your TN.

A composite image of immigration law attorney Sophie Alcorn in front of a background with a TechCrunch logo.

Image Credits: Joanna Buniak / Sophie Alcorn (opens in a new window)

Two TN visas at the same time?

Yes, it’s possible. Under immigration law, you can have two TN visas at the same time — one from your current employer and one from another employer, say, your startup. However, this is very difficult to achieve, and comes with two very important caveats:

Dear Sophie: Can I start a company or a side hustle on a TN visa? by Ram Iyer originally published on TechCrunch

Growth cheat code: Use fractional hiring to stay on plan when cutting costs

Venture funds are clear: Given the uncertainty of the coming few years as the Fed seeks to unwind its decades-long monetary policy, the mandate for CEOs is to:

  1. Cut burn.
  2. Slow growth.
  3. Carefully manage towards profitability.

This is a tough pill to swallow for founders who were planning to accelerate growth this year. Open Twitter and you’ll find a cacophony of founders, investors and advisers doling out advice for what to do next: downsize your product offerings; freeze all hiring; consider mass layoffs.

The fact is, you can indeed cut burn and manage toward profitability while still defaulting to growth. In fact, that’s how the winners of this downturn will pull ahead.

To manage their huge levels of risk, large companies must freeze hiring. If you’re an entrepreneur, this is good news for you.

So what does that look like?

Fractional hiring is a growth cheat code

We’ve been operating as a bootstrapped business for close to a decade, so we’re familiar with forecasting budgets around very conservative scenarios and adjusting within 30-day or 90-day windows. This has allowed us to not only stay profitable but be nimble as well. When faced with economic chaos in March 2020, we maintained our growth rate by quickly adjusting budgets.

Instead of pausing hiring and delaying our team’s ability to execute, we employ a fractional model for hiring. As we’ve scaled headcount over the years, we’ve always tried to bring on key people first as (typically, part-time) contractors, and then convert them to full-time employees.

Not gonna lie, this NGL lawsuit is kinda juicy

The anonymous Q&A app NGL climbed to the top of the App Store by tricking its users with questions it claims are sent in by their friends and by charging for useless hints about who supposedly wrote those messages. But many of the questions users receive aren’t from real people; they’re generated automatically — an idea NGL’s top competitor, the maker of the Sendit apps, is now alleging NGL’s maker stole alongside other confidential business information, according to a new lawsuit.

In a complaint filed on July 1, 2022, in the Superior Court of California, Sendit’s creator, Iconic Hearts Holdings, Inc. (previously known as FullSenders), claims that NGL acquired its trade secrets through “improper means” as a result of a breach of duties by the suit’s defendant, Raj Vir, an Instagram software engineer, who had worked on Sendit on the side.

For those who don’t keep up with teen app trends, both Sendit and NGL are leading anonymous Q&A apps, a subgroup of social apps currently popular among a younger demographic. The apps have been ranking at the top of the app stores charts for months, as anonymous apps typically do — before they implode from bullying, lawsuits or get banned by the app stores themselves.

As of today, NGL is the No. 5 top (non-game) free app on the U.S. App Store. Since launching late last year, the company has generated over $2.4 million in revenue, according to third-party estimates. Sendit’s apps are currently ranked at No. 12 in Social Networking (Sendit) and No. 57 in Social Networking (Sendit — Q&A on Instagram), and have earned over $11 million, per data from Sensor Tower.

Both Sendit and NGL allow users to post links to their social accounts, like Instagram or Snapchat Stories, which friends can click on to send the poster anonymous questions. (Think: “who do you have a crush on?” and other teenage gossip.)

The recipient, in turn, receives the questions in the app’s inbox, and can then post their response to their social accounts for all to read. The apps monetize this activity by offering their users “hints” about the person asking the questions so they can find out who asked what.

While NGL focuses only on anonymous Q&As, Sendit offers two variations of its service. Its original app is aimed at Snapchat users and provides a variety of games in addition to the anonymous Q&A feature. Its newer app, meanwhile, brings anonymous Q&A’s to Instagram. It launched following Snapchat’s rollout of stricter policies earlier this year that banned anonymous apps from using its developer tools. (Sendit received an extension to come into compliance with those policies, Snapchat told us.)

The apps are problematic, however, because they’ve been demonstrated to be using misleading tactics to trick their young users into thinking they were receiving engagement from friends when they were not.

Both apps are also incredibly similar including in their visual design, how they work, their business model, and other aspects.

As it turns out, that may not have been an accident.

The recently filed Iconic Hearts lawsuit (see below) states that the company hired Vir to develop Sendit’s mobile apps back in September 2018. Vir then continued to consult with the company afterward, it says. In May 2021, Iconic Hearts began having conversations with Vir about offering him a full-time position or allowing him to continue as a contractor. But instead of taking the job, Vir took the company’s ideas and insights and used them to build his own version of Sendit’s app, the complaint explains.

“Vir was integral in founding, building, and launching ‘NGL – anonymous q&a,’ an app that is nearly identical to, and directly competes with, the Sendit apps,” reads the filing. It additionally details how Vir used his friendship with Iconic Hearts’ founder, Hunter Rice, and his role as a Sendit developer and consultant in order to gain information about the company and its apps. (Apparently, Rice and Vir weren’t just business colleagues, they were friends — former high school classmates who had bonded after college over their shared interest in tech, the filing notes.)

During Vir’s time working on Sendit’s apps, he had access to insider information — like which features drove the most user engagement and other future development plans, the lawsuit states. He had also signed a developer agreement, which forbade him from using this information for any other purpose beyond his work with the Sendit apps, it says.

Rice believes Vir was never serious about the job offered to him at Iconic Hearts, the complaint continues, but was instead using his ongoing access to build NGL, a copy of Sendit which launched in late 2021 on the App Store and soon became the App Store’s No. 1 app in June 2022.

The filing explains how Vir had access to detailed app data and KPIs (key performance indicators) and other metrics designed to make the app succeed. Because of his relationship with Sendit, Vir asked for and was given access to all sorts of business data and metrics — like click-through rates, conversion rates, which prompts were the highest performing, how they were ordered to create virality, the placement of call-to-action buttons, financial performance, MRR (monthly recurring revenue), churn rate, LTV (lifetime value), metrics related to average response rates, share counts, viral coefficients, and much more.

Among these business details, was Sendit’s use of fake questions. The company had previously denied using bots when TechCrunch asked.

Many users of Sendit and NGL’s apps had already suspected some of the questions they received were not really coming from their friends, but had been automatically generated. The app stores are filled with user reviews that claim these apps are tricking them, then ripping them off by charging for unhelpful hints — like those that only share a user’s city or the type of phone they have.

TechCrunch also recently tested both NGL and Sendit’s anonymous Q&A system by generating a link for questions but then didn’t show it to anyone, and yet still received half a dozen so-called “questions from friends” in our inboxes.

This feature is actually detailed in the new lawsuit as one of the many aspects of Sendit’s apps that NGL supposedly stole. Reads the complaint:

Iconic Hearts had also developed a unique system, “Engagement Messages,” which sends content to a inbox if interactions with the user had been idle over a certain period of time. “Engagement Message” re-trigger a user to use the app. This generates more “shares” on the app, more density within a user’s trend network (i.e. more people sharing more times), which adds to an app’s saturation, the most critical measure of success and growth. It took Iconic Hearts years of trial-and-error, testing, and iterating its product to optimize its proprietary Engagement Messages System and various components thereof, such as the optimal period of time after which to send an Engagement Message, how the Engagement Message gets pushed, the design of the Engagement Message, and the content of the Engagement Message.

This section essentially confirms users’ suspicions about the fake questions. It also now places a burden on the app stores to take action, we should think, as neither company discloses to its users that these “engagement messages” are not being sent by their friends as the app’s description would lead them to believe.

Surprisingly, Iconic Hearts didn’t know of Vir’s betrayal until recently. Even as late as June 2022, Vir concealed his involvement with NGL the complaint states. The lawsuit claims Vir finally admitted his involvement to Rice on June 21, 2022, by saying “okay, I’ll clear the air. I’ve been lying to your face this entire time. I am building NGL,” and then, “congratulations for being the Head of Product at NGL.”

Yikes, if true.

Neither party has responded to our requests for comment at this time.

As to what extent Iconic Hearts will be able to prove its claims in a legal fashion remains to be seen. The suit is asking for damages and injunctive relief. The suit also names dozens of unknown defendants who may be working or partnering with NGL, which Iconic Hearts hopes the court will reveal and name.

ICONIC HEARTS HOLDINGS, INC. vs. RAJ VIR; NGL LABS LLC; and DOES 1 through 50, inclusive, by TechCrunch on Scribd

Proptech still has fundamental problems for entrepreneurs to solve

Over the last decade, one tech sector that affects everyone’s quality of life — from where we live to what we put in our homes — has come a long way. Proptech has made our lives easier with innovations like smart homes, AirBnB, and the ability to shop for and secure a mortgage from our phones.

But major gaps, and opportunities, remain.

For example, the single-family residential market is enormous. Approximately $2 trillion worth of homes were sold in 2021, per CoreLogic. But buying a home is still an excruciatingly difficult process. A team from Keller Williams identified 180 things a seller’s agent does, and even this list, as exhaustive as it is, does not fully account for the many other players in a typical transaction.

Today, buying a house is a lot like running the steeplechase: you have to sprint between obstacles and pray you have the stamina to survive it all. It should not be this hard. So let’s fix it. This is a call to current and would-be proptech entrepreneurs to solve the problems that are close to home.

There has arguably never been a better moment to get started. Capital is searching for good ideas and quality execution. In 2021, venture capital poured a record $11.7 billion into proptech. While the market has started to slow down this year, driven in part by factors such as public market performance, inflation, and higher interest rates, there is still strong investor appetite for great and novel ideas with excellent execution.

If no one can find your house online, is it really even for sale?

Starting a business is hard, but we now have a path for proptech, lined with funders and advisors, that can propel entrepreneurs over early obstacles through to maturity and deep market penetration.

Proptech can solve many fundamental homebuying issues

Proptech still has fundamental problems to attack, including one of the most common: purchasing a home.

Below are eight high-leverage homebuying pain points that have not been sufficiently addressed. Because of the enormity of the housing industry, even marginal improvements in some of these areas will be greeted enthusiastically, and big leaps forward will be handsomely rewarded.

Housing affordability

The challenge: Many Americans cannot own a single-family residence, regardless of how long and how wisely they save. High construction costs, strong demand pushing up prices on relatively low supply, and low incomes can make homeownership difficult or impossible.

This is not a problem solely for lower-income households. The National Association of Realtors’ Housing Affordability Index, which measures the degree to which a family with the median income can afford monthly mortgage payments on a median-priced home, fell 30% between April 2021 and April 2022. Housing is taking up a greater percentage of Americans’ income.

Remote raises $300M more, now at a $3B+ valuation, to manage payments and more for globally distributed workforces

Remote workforces have come into their own in the last several years, with companies ever more willing to tap into talent wherever it happens to be, and a vast array of low-friction tools being built to make those distributed teams work just as effectively as if they were all in the same physical space. Today, Remote, which has built a platform to hire distributed employees, and then make sure they are remunerated easily and legally — in other words, tech that helps companies with some of the trickiest aspects of managing a remote workforce — is announcing a big round of funding as it emerges as one of the bigger players to watch in the world of HR addressing global and distributed workforces.

The startup has raised $300 million, funding that it will be using to continue building out the tools that it provides to its customers and to expand its technology and services to more geographies. SoftBank Vision Fund 2 is leading the round, with previous investors Accel, Sequoia, Index Ventures, Two Sigma Ventures, General Catalyst, 9Yards, Adams Street and Base Growth also participating. This Series C values Remote at over $3 billion.

The size of the funding round and its timing — it’s been less than a year since Remote’s Series B, a $150 million round at a $1 billion+ valuation in July 2021 underscores a couple of things. One is the focus distributed work has had particularly in the last couple years — a trend that was already in pace before Covid-19 but definitely accelerated as a result of it; two is how Remote itself has expanded in that time.

The company — based out of San Francisco but with a totally remote workforce itself, with its two co-founders based in Europe — says that the number of employees processed through the Remote platform grew by 900% in the last year, with revenues up 13x in the same period (we have asked and the company does not disclose actual revenues or other specific numbers). That pace does not appear to be slowing down, even as offices gradually reopen and many parts of the world look to return to pre-Covid routines.

At the other end of the tech world spectrum, there’s been evidence that some of the funding exuberance of the last couple of years around pandemic-spurred theses (like rising demand in categories like remote work and delivery) is getting more bearish. But that trend too appears to have passed over Remote, which raised this round in the last quarter.

“The power dynamics have completely changed between employers and employees,” Remote CEO Job van der Voort said in an interview, with people more empowered he noted to work from wherever they want, and companies needing to provide remote working facilities to secure the talent at the price they want. “We only see this accelerating. If there were a slow down in that trend, maybe we couldn’t have raised this much.”

Remote’s customers now range from small startups to large enterprises and includes GitLab, DoorDash, Hello Fresh, Loom and Paystack, with companies sometimes processing payments and more for as few as four employees through Remote, while others are processing for thousands. Services it offers today include payroll, benefits, taxes and local compliance (including Employer of Record services) for contractors and full-time employees.

As for its footprint, currently, Remote says it provides services to “over 60” countries, but Job van der Voort, the CEO who co-founded Remote with Marcelo Lebre (COO and CTO), said that the aim to expand that to 100 this year, ultimately serving 140 countries.

The challenge that Remote is addressing is longstanding in the world of work, one that has been exacerbated with globalization. Hiring and then managing the administration of contractor or employed hires — when they are not based out of a company’s main office and country, and potentially not in any office at all but at home — can be a thorny business, crossing a number of different challenges in areas like international banking, local labor regulations and human resources management. Typically, companies have addressed this by working with local employment companies who have handled various processes manually for them, which led to an expensive and fragmented approach that ultimately held companies back from wanting to embark on the process at all; or not following policies that would be more beneficial for the company and its workers in the long run.

Van der Voort, who had previously been VP of product at GitLab, where he was a supporter of remote work but also someone who understood those challenges first-hand: he helped to build that organization’s remote team to 450 employees from just five. Lebre, meanwhile, had been the VP of engineering for Unbabel, which builds tools for companies to communicate with a global customer base, where he too worked with a distributed team and also saw the opportunity of addressing this area in a better way.

There are a number of tech startups in the market today that are tackling different aspects of remote employment, including the likes of Papaya Global, Oyster, Deel, HackerRank, and Turing. Remote’s unique selling point has been to build its stack from the ground up, building and providing Employer of Record services, fully operational legal entities, payroll and benefits, visa and immigration support and employee relocation, all provided in the cloud so that an employer can manage teams in different places from a single dashboard.

The company’s pace of growth in terms of its footprint speaks not just to the complexities and challenges of building out services like these, but also that integrated approach that Remote has taken in doing so.

“The reality is that it’s very difficult to open a new country and sometimes the reasons for a delay are out of our control,” Van der Voort said.

The integrated approach speaks to the tech chops of the company and how it will scale. Notably, Papaya Global made an acquisition of Azimo the other week specifically to bring money transfer services into its own fold — a feature that Van der Voort noted Remote already had in its stack.

“The way people work has permanently changed and the shift to remote and hybrid work has enabled companies to hire from anywhere in the world, but this can be an intensive, costly and risky process”, said Brett Rochkind, managing partner at SoftBank Investment Advisers, in a statement. “Remote has built a full-stack, global platform that creates a fast, seamless experience to hire and onboard new employees regardless of where they are. We are excited to partner with Job, Marcelo and the team to support their mission to open up the vast potential of the world for every person, business and country.”


8 open source companies from YC Demo Day Winter ’22

Wicked fast VPNs, data organization tools, auto-generated videos to spice up your company’s Instagram stories … Y Combinator’s Winter 2022 open source founders have some interesting ideas up their sleeves. And since they’re open source, some of these companies will let you join in on the fun of collaboration too. Here are all of the open source related companies presenting at Demo Day in the Winter 2022 cohort.

Tuva Health

Founded: 2021

Location: Salt Lake City, Utah

What it says it does: Tuva cleans messy healthcare data to help the healthcare industry build scalable data products.

Promises include: Tuva wants to become the open standard for healthcare data transformation and build the data network for multisite benchmarking and research.

How it says it differs from rivals: Tuva uses machine learning to further develop its technology.

Founders: Co-founders Coco (Jorge) Zuloaga and Aaron Neiderhiser have worked in healthcare data science for a decade. They’re using that experience to help digital health companies get their data ready for analytics and machine learning.

Our thoughts: Have you ever gone to the doctor and waited for minutes while the nurse’s computer — running Windows 2000 — struggles to open your chart, only to find that they don’t have updated information about what meds you’re on? We can only imagine how mind-numbingly tedious it would be for health tech companies to organize all this stuff, so it seems like Tuva Health is doing a good service by making their software open source. Now, to get that nurse off of Windows 2000…


Founded: 2021

Location: Mountain View, California

What it says it does: Firezone is building an open source alternative to OpenVPN and Cisco AnyConnect using a new VPN protocol called WireGuard. The company is targeting businesses to help remote workers access private networks.

Promises include: Apparently, using WireGuard makes Firezone faster than its competitors.

How it says it differs from rivals: Speed! Cryptography! It’s also worth noting that fellow cohort members Netmaker are also developing open source software based on WireGuard.

Founders: Co-founder Jamil Bou Kheir spent eight years at Cisco, a direct competitor! Spicy! Kheir also lived in a “tiny hacker house” for two years, which … while we don’t want to know what the tiny hacker house smells like, we appreciate the out-of-the-box idea.

Our thoughts: Faster VPN options? Sounds good to us. We’re a bit more fixated on the tiny hacker house, though. What’s going on there?


Founded: 2020

Location: Palo Alto, California

What it says it does: GrowthBook is an open source platform to help companies make data-driven product decisions with feature flags and A/B tests.

Promises include: GrowthBook focuses on feature flagging and experimentation and operates under the ethos that this is the best way to build products at scale.

How it says it differs from rivals: GrowthBook says that an existing SaaS solution, LaunchDarkly, requires a company to send them all of their data, which poses high costs and security concerns. GrowthBook says it solves this by using a company’s existing data infrastructure and business metrics.

Founders: Co-founders Jeremy Dorn and Graham McNicoll both used to work at as chief architect and CTO respectively. After’s exit in 2019, the two of them began working on GrowthBook.

Our thoughts: Startups will likely be more comfortable using open source software to help them make product decisions rather than sending all of their data to a third-party provider.


Founded: 2022

Location: San Francisco, California

What it says it does: Eventual is a data warehouse for images and video, making it easier for enterprise machine learning teams to design continuous pipelines that ingest, organize and process imaging data.

Promises include: Eventual wants to help companies save time and money by optimizing workflow.

How it says it differs from rivals: Eventual says that it’s the first turn-key data warehouse for images and video. Instead of using SQL, Eventual’s query interface is a Lambda function that can be written in the programming language of your choice.

Founders: Jay Chia and Sammy Sidhu both have backgrounds in deep learning — they worked together on Lyft Level 5 to build autonomous driving technology that was acquired by Toyota.

Our thoughts: If these founders can get cars to drive autonomously, data organization via machine learning should be a piece of cake, right? (At least it’s a business endeavor less likely to result in an accident.)


Founded: 2021

Location: Asheville, North Carolina

What it says it does: Netmaker is an open source tool based on the WireGuard VPN protocol.

Promises include: Netmaker claims to operate 15 times faster than OpenVPN.

How it says it differs from rivals: Netmaker and its cohort-mate Firezone are both open source, faster alternatives to existing VPN software.

Founders: CTO Dillon Carns and CEO Alex Feiszli left their software engineering gigs to develop Netmaker. Feiszli formerly served as a senior engineer at IBM, a consultant at Deloitte and a contractor for Red Hat.

Our thoughts: Without testing the products, we can’t really say whether Netmaker or its cohort-mate Firezone is faster, but we do know that Netmaker’s CTO has a dog named Pepper. The ball’s in your court, Firezone.


Founded: 2021

Location: Mountain View, California

What it says it does: Per Toolchest’s website, “We have felt the pain of implementing and scaling computational biology tools. We’re here to build better core tooling for bioinformatics.”

Promises include: Toolchest says it will make it possible for drug discovery companies to get analysis results up to 100 times faster.

How it says it differs from rivals: Users don’t need to migrate their data or learn how to use a new platform. Toolchest makes implementing and scaling computational biology tools just three lines of code.

Founders: CTO Bryce Cai has an academic background, researching computational chemistry and mathematics at Stanford. CEO Noah Lebovic previously lead software engineering at a now-acquired microbiome startup.

Our thoughts: Toolchest is so open source that its signature three lines of code are literally just on the homepage of their website.


Founded: 2021

Location: San Francisco, California

What it says it does: Unai is developing a VR headset and virtual world that aims to help people feel connected to one another in the virtual world.

Promises include: Unai wants to make VR interactions look, feel and sound like they do in real life.

How it says it differs from rivals: Unai believes that “virtual presence” is the “first killer use case” for VR, not gaming.

Founders: Maxim Perumal built Relativity, an open source VR headset, at age 15. Now, as CEO of Unai, Perumal recruited a team with former senior engineers from companies like Apple, Nvidia, Intel, Activision, Meta and Sony.

Our thoughts: Since Unai is still in stealth, it’s hard to say what makes its technology different from mainstream headsets like the Meta Quest 2. But we cannot understate Unai’s biggest advantage, which is that Mark Zuckerberg is not its CEO.

Instant Domains

Founded: 2022

Location: Victoria, Canada

What it says it does: Instant Domains claims that in less time than it takes to create a social media profile, businesses can buy a domain, launch a site and start collecting revenue.

Promises include: Instant Domains is encrypted and promises to never collect data about its users.

How it says it differs from rivals: Technically, you can set up a Squarespace or a Wix site pretty fast too — but Instant Domains says it’s even faster and easier. It may not be as flexible as other no-code website builders, but it’s less expensive ($10 a year for a domain, plus an optional $5 a month for extra features). Some business owners might not need all of the bells and whistles on other platforms.

Founders: Instant Domains is an outgrowth of Instant Domain Search, a side project that CEO Beau Hartshorne built in 2005, which now makes around $1 million in annual revenue. Hartshorne is joined by CTO Dirkjan Ochtman, a 20-year veteran in software engineering and accomplished open source maintainer.

Our thoughts: Hot take: Squarespace is expensive. Normally, I urge people to just make a free WordPress site and attach their own domain to it, but if Instant Domains can accomplish what it sets out to, maybe we won’t have to mess around in cPanel to get an affordable website up and running. Instant Domains kind of feels like Linktree but with custom domain management built in.


Founded: 2021

Location: Seattle, Washington

What it says it does: Uberduck calls itself “Canva for programmable video,” making video that can be automatically generated via API.

Promises include: Within minutes, Uberduck will generate dynamic videos that can be personalized with customer data. Uberduck can also be used to develop advertisements and social media posts. You can also … clone your voice? Deepfake yourself? Use wisely.

How it says it differs from rivals: Uberduck boasts a Discord community of almost 3,000 members who collaborate to turn AI research into design tools for the app.

Founders: Samson Koelle holds a Ph.D. in statistics and has worked for places like Amazon and the National Institutes of Health. Koelle is joined by co-founders William Luer and Zach Wener, who was once an editorial fellow at The Atlantic (is the tech journalist to tech founder pipeline a thing?).

Our thoughts: Finally, a startup that calls itself “Canva for [use case]” that actually makes sense in comparison to Canva.

Read more about YC Demo Day on TechCrunch

Captain’s contractor lending tool aims to speed up home repairs after natural disasters

Repairing a home that’s been destroyed in a hurricane, tornado, flood or fire can take quite a while, displacing homeowners during that time.

Captain founder and CEO Demetrius Gray noted that following storms, like the Katrina and Sandy hurricanes, the average primary recovery period was 14 months. Smaller storms can still take up to five months for financing and repairs to be completed as the homeowner works with their mortgage company, insurance provider and contractor to get the work completed.

Add in that the average homeowner insurance deductible is $1,000 and the fact that the average consumer has only $400 in savings, and you can imagine that homeowners have to find creative solutions to get back to normal and tolerate that it will take time, he added.

That’s where Captain comes in. The fintech company, founded in May 2021, came out of stealth mode Thursday with a lending tool aimed at bridging the gap between those policyholders, insurance companies and contractors so that a homeowner can choose a contractor and have repairs completed within 30 days versus 180 days.

“There is a new paradigm of severe events occurring and there has to be climate adaptation,” Gray told TechCrunch. “People are waiting years after events to recover or are searching for how to pay for that. The way in which Captain can help is by giving contractors all of the tools they need to get through the claims process faster and easier.”

Prior to starting Captain, Gray was an accountant in construction companies focused on insurance restoration work. He saw that no one was really merging the data for how roofing contractors inspected work, and if you could bring that together, you would be able to tell which house should file a claim and which shouldn’t.

That turned into WeatherCheck, a Kentucky-based damage prediction company that was part of Y Combinator’s winter 2019 batch. He still owns the company and plans to use WeatherCheck’s data at Captain in the future.

The contractor business is still mainly done with pen and the three-ply contracts we all know well. Captain took that process, digitized it and embedded it into an application combined with legal due diligence for state and local requirements.

Once the contractor and work is vetted and approved for financing, the company vets the data coming from the insurance company and determines if that is correct or not. Approval to begin work and get financing with Captain takes about 30 minutes.

Captain then manages the interaction with the insurance carrier and other third parties and pays all of the bills for the work, eliminating the lien risk for the policyowner and enabling the process to run smoother and for the contractor to focus on the work.

The company is already working with 50 contractors throughout the U.S. and paid out $5 million. Gray anticipates being able to deploy another $20 million to contractors in the next three months, thanks in part to $104 million in total financing that the company raised.

The funding includes $4 million in seed capital backed by NFX, GGV Capital and Red Swan. The other is $100 million in debt financing from CoVenture.

In addition to deploying more capital, Captain will use the new funding to expand its sales and engineering teams and round out its leadership team with new hires for roles, including vice president of engineering, head of growth and head of talent. The company has nine employees currently, and Gray expects to expand that to between 50 and 75 by the end of the year. The company is also targeting new cities, including Dallas, Denver and Chicago, which often have exposure to hail.

Up next, Gray sees Captain looking at other offerings, for example, to finance projects for homeowners in places where there is no requirement for insurance once you own your home. The company is preparing for California’s fire season by recruiting homebuilders and remediation contractors there.

Captain is not alone in offering lending to contractors; for example, Sunlight Financial, Enhancify and Billd all provide some kind of funding to contractors. Where Gray sees his company differentiating itself is by focusing on the policyholder versus the insurance company, like others.

“The lens in which we view ourselves is how we can help the policyholder put their life back together as quickly as possible,” he added. “It is about introducing solutions targeted on the other side of the insurance contract. The policyholder has rights, but don’t know what they are and are often left to fend for themselves. We are giving guided solutions for when the unfortunate does occur.”

Red Cross says ‘state-sponsored’ hackers exploited unpatched vulnerability

The recent cyberattack on the International Committee of the Red Cross (ICRC), which compromised the data of more than 515,000 “highly vulnerable” people, was likely the work of state-sponsored hackers.

In an update published on Wednesday, the ICRC confirmed that the initial intrusion dates back to November 9, 2021, two months before the attack was disclosed on January 18, adding that its analysis shows that the intrusion was a “highly-sophisticated” targeted attack on its systems — and not an attack on third-party contractor systems as the ICRC first said.

The ICRC said it knows that the attack was targeted “because the attackers created code designed solely for execution on the concerned ICRC servers.” According to the update, the malware used by the attacker was designed to target specific servers within the ICRC’s infrastructure.

Hackers gained access to the ICRC’s network by exploiting a known but unpatched critical-rated vulnerability in a single sign-on tool developed by Zoho, which makes web-based office services. The vulnerability was the subject of an advisory from the U.S. Cybersecurity and Infrastructure Security Agency (CISA) in September, which was given a CVSS severity score of 9.8 out of 10.

By exploiting this flaw, the unnamed state-sponsored hackers then placed web shells and carried out post-exploitation activities, like compromising administrator credentials, moving throughout the network, and exfiltrating registry and domain files, according to the ICRC.

“Once inside our network, the hackers were able to deploy offensive security tools which allowed them to disguise themselves as legitimate users or administrators. This in turn allowed them to access the data, despite this data being encrypted,” the ICRC said. The Red Cross added that it has no conclusive evidence that the data stolen in the attack has been published or is being traded, nor was a ransom demand made, but said it’s contacting those whose sensitive information may have been accessed.

The ICRC says its anti-malware tools on the targeted servers were active at the time of the attack and blocked some of the malicious files used by the attackers, but that most of the files deployed were “specifically crafted to bypass” its anti-malware protections.

These tools, the ICRC notes, are typically used by advanced persistent threat (APT) groups, or state-backed attackers, but the Red Cross said it has not yet formally attributed the attack to any particular organization. A Palo Alto Networks report from November 2021 linked exploitation of the same vulnerability to a Chinese state-sponsored group, known as APT27.

As a result of the cyberattack, the Red Cross said it’s had to resort to using spreadsheets to carry out its vital work, which includes reuniting family members separated by conflict or disaster.

“It is our hope that this attack on vulnerable people’s data serves as a catalyst for change,” Robert Mardini, the director-general of the ICRC, said in a statement. “We will now strengthen our engagement with states and non-state actors to explicitly demand that the protection of the Red Cross and Red Crescent Movement’s humanitarian mission extends to our data assets and infrastructure.

“We believe it is critical to have a firm consensus — in words and actions — that humanitarian data must never be attacked.”

The IRS won’t make you verify your identity with facial recognition after all

The IRS announced plans Monday to back away from a third-party facial recognition system that collects biometric data from U.S. taxpayers who want to log in to the agency’s online portal.

The IRS says it will abandon the technology, built by a contractor called, in the coming weeks. The agency says it will instead swap in an “additional authentication process” that doesn’t collect facial images or video. The two-year contract was worth $86 million.

“The IRS takes taxpayer privacy and security seriously, and we understand the concerns that have been raised,” IRS Commissioner Chuck Rettig said. “Everyone should feel comfortable with how their personal information is secured, and we are quickly pursuing short-term options that do not involve facial recognition.”

The update to the U.S. tax collection agency’s online verification system, set for a full roll-out over the summer, was roundly criticized for collecting sensitive biometric data on Americans.

Many tax filers already encountered the system live on, where they were required to submit facial videos to create an online login. If that system failed, tax filers were put into lengthy queues to have their identities manually verified in video calls with a third-party company.

In a letter to Rettig, Reps. Ted Lieu (D-CA), Anna Eshoo (D-CA), Pramila Jayapal (D-WA) and Yvette Clarke (D-NY) raised concerns that allowing a private company to collect face data from millions of Americans posed a cybersecurity risk. The lawmakers also pointed to the body of research demonstrating that facial recognition systems are often built with inherent racial bias that makes the technology far more accurate for non-white faces.

“To be clear, Americans will not have the option of providing their biometric data to a private contractor as an alternative way to access the IRS website,” the lawmakers wrote.

In choosing to roll out the facial recognition technology, the IRS ran afoul of privacy hawks but also the federal government’s own General Services Administration, which has publicly committed to not implement facial recognition tech unless such a system undergoes “rigorous review” to evaluate if it will cause unforeseen harm. The GSA’s existing identity verification methods eschew the need for biometric data, relying instead on scans of government records and credit reports.

Locations and contact data on 515,000 vulnerable people stolen in Red Cross data breach

A cyberattack targeting a contractor working for the International Committee of the Red Cross has spilled confidential data on more than 515,000 “highly vulnerable” people, many of whom have been separated from their families due to conflict, migration and disaster.

The Red Cross did not name the contractor, based in Switzerland, which it uses to store data nor say what led to the security incident, but said that the data comes from at least 60 Red Cross and Red Crescent national societies.

In a statement, the international organization pleaded with the attackers not to publicly share or leak the information given the sensitivity of the data.

“Your actions could potentially cause yet more harm and pain to those who have already endured untold suffering. The real people, the real families behind the information you now have are among the world’s least powerful. Please do the right thing. Do not share, sell, leak or otherwise use this data,” read the statement.

As a result of the breach, the organization shut down its Restoring Family Links program, which aims to reunite family members separated by conflict or disaster.

A spokesperson for the Red Cross told TechCrunch that the stolen information included names, locations and contact information, as well as credentials used to access some of the organization’s programs.

The hack compromised personal data such as names, locations, and contact information of more than 515,000 people. The people affected include missing people and their families, unaccompanied or separated children, detainees and other people receiving services from the Red Cross and Red Crescent Movement as a result of armed conflict, natural disasters or migration. Login information for about 2,000 Red Cross and Red Crescent staff and volunteers who work on these programs has also been compromised. No other information at the ICRC was compromised due to the segmentation of the systems,” said Red Cross spokesperson Crystal Ashley Wells.

International human rights groups and disaster relief agencies are an increasing target for hackers. Last year the United Nations had its network breached by unknown cyberattackers, and Microsoft revealed that the U.S. Agency for International Development was targeted to launch malicious emails to thousands of targets.

Updated with comment from Red Cross. Carly Page contributed reporting.