The VC ‘Scramble For Europe’ breaks out in the East as a €70M fund breaks cover

There is a fight emerging in Central and Eastern Europe, and all the way down into the South Eastern regions.

Investors such as Inovo, Credo, LauncHUB, Vitosha, Venture Friends, Marathon VC, are all VCs of varying sizes who are – as we speak – roaming everywhere from Eastonia and Poland all the way down to Greece and Turkey looking for early-stage startups to write cheques for.

The gun was fired in this race when, last year, LAUNCHub Ventures out of Sofia, Bulgaria, headed towards the €70 million for its new fund. And when Vitosha Venture Partners raised a $30 million fund. And again when VentureFriends in Athens raised a €100 million fund.

What happened to Western European VCs in the last 15 years started to happen to Central and Eastern (and South Eastern) VCs about 2-3 years ago and is now gathering pace. I mean, they even have their tech media ecosystem now, for heaven’s sake.

The latest sign of this trend is the news that 500 Istanbul, formerly a loosely-associated fund with 500 Global in San Franciso, has launched a 70 million Euro early-stage fund and is rebranding as “500 Emerging Europe”.

The fund will focus on Turkey, Central Europe, and the Baltics – it’s own definition of ’emerging Europe’. The fund plans to invest in pre-seed and seed rounds with first tickets as high as €2m and follow-on rounds. The fund has made 14 investments over the last year, as well as its first investment in Poland (additional investments in CEE and Baltics are in the works, I’m told).

Started in 2016, 500 Istanbul began with a $10.5M fund and invested in 40 companies from Turkey, Hungary, Romania, Bulgaria, Greece, Ukraine and Poland, and has 3 unicorns in its portfolio. Investments include Polish edtech Village Network and Avatao, a software training platform out of Hungary.

It says its portfolio companies in aggregate generate more than $600M in revenues and have now raised $1.1B in follow-on funding.

In an interview with me, General Partner Enis Hulli said: “Given that we love doing $1m checks at idea stage to top tier founders (a limited number of them emerge from the region) we mostly compete with UK funds that do pan- European investing. Our differentiation is having an American brand and network, global offices in 20+ locations, portfolio in 70 countries (both US and global expansion support).”

That may be the case but as the past recedes, having those US connections are less interesting, as other VCs in the region will make their own connections to US networks and US VCs.

There may be an era when 500 Emerging Europe will just have to drop the “500” in another rebranding exercise, especially when founders increasingly ask “why only 500?”.

The VC ‘Scramble For Europe’ breaks out in the East as a €70M fund breaks cover by Mike Butcher originally published on TechCrunch

More venture funds are betting on Central and Eastern Europe

Welcome to The TechCrunch Exchange, a weekly startups-and-markets newsletter. It’s inspired by the daily TechCrunch+ column where it gets its name. Want it in your inbox every Saturday? Sign up here.

Central and Eastern Europe have had less venture capital at their disposal than their GDP or population could warrant. But with new funds lured in by their startups’ talent pool, global mindset, and capital efficiency, this could be starting to change. Let’s explore. — Anna

What do UiPath, Vinted and Wise have in common?

Startup founders in Central and Eastern Europe will soon have more dry powder to chase.

In recent weeks, we learned that Underline Ventures was halfway through raising a €20 million fund to invest in Romania and nearby countries; that Poland-based Inovo VC was targeting €100 million for its third fund; and that Spanish-born Demium was launching a new fund to invest into Central European startups, with plans for a second close of €30 million to €40 million in September.

Key European tech founders and investors launch OneUkraine charity to assist Ukraine

A host of major European tech founders and investors are today backing the launch of OneUkraine, a new charity providing sustainable humanitarian relief for the Ukrainian people.

OneUkraine will be supporting Ukrainians at home and abroad, delivering humanitarian aid, and aiming to rebuild the tech and broader infrastructure of Ukraine by SMEs and startups on the ground. With many of the organization’s founding members being from Ukraine or with family ties to the country, the organisation hopes to leverage direct access to local networks and real-world data about the country’s needs.

The organisation says it has now evacuated more than 5,500 people, mostly women and children, and already delivered aid worth more than EUR 4 million. It’s also built a Ukrainian school in Lithuania to provide education for refugees.

In a statement Martin Reiter, CEO and co-founder of OneUkraine: “With many of our founders born and raised in Ukraine, we felt compelled to help our friends, family, and colleagues. All of our founders have proven track records leading or founding tech unicorns, and we are now doing collectively what we do best: working quickly and efficiently at scale, providing instant and much needed humanitarian relief for the people of Ukraine. We believe that we can help best by bringing an entrepreneurial, data-driven and sustainable approach to the world of humanitarian aid, complementing other major relief efforts.”

OneUkraine’s founding team:

•   Martin Reiter: Martin ran Groupon Ukraine back in 2011 and still has many friends in Ukraine. 
Martin previously held leading positions at Airbnb and Wayfair Europe and co-founded to help evacuate Ukrainian women and children. 

•   Martina Kojic: Martina grew up in post-war Croatia, with the impact and trauma of the post- war situation shaping much of her childhood. Martina co-founded to 
help evacuate Ukrainian women and children. 

•   Markus Fuhrmann: Markus, whose wife and her family are from Mariupol, Ukraine, is CEO 
and co-founder at GROPYUS, and previously co-founder of and Delivery Hero. 

•   Wolfgang Heigl: Wolfgang, who lives in Lithuania, is the founder of NFQ and HomeToGo. 

•   Viktoriya Tigipko: Viktoriya, born and raised in Kyiv, Ukraine, is the founding partner of TA 
Ventures and founder of ICLUB Global, the network angel investors. She is the founder of WTECH, a 5k+ network of women in tech business, chairman of the Board of Ukrainian Startup Fund and founder and president of Odesa International Film Festival. 

•   Johannes Reck: Johannes, whose grandfather grew up in a small village which today is part of western Ukraine, is the co-founder and CEO of GetYourGuide. 

•   Dmitry Gorilovskiy: Dmitry, whose mother is from Rovno, Ukraine, has been organising adoptions of Russian orphans with disabilities since 2014, when the Russian government prohibited adoption by foreigners. He is a serial founder of product design, IoT and machine learning businesses such as Woodenshark and Moeco. 

•   Klaus Hommels: Klaus is the founder and chairman of Lakestar and one of Europe’s leading venture capitalists. 

•   Jens Hilgers: Jens, whose wife is Ukrainian, is a serial entrepreneur and has built and managed international games and tech companies in Central and Eastern Europe as well as in Asia. Among others, Jens is founding GP at BITKRAFT Ventures and is co-founder and chairman at G2 Esports. 

•   Alexa Sinyachova - Chief Executive Officer - Moeco. Alexa is Ukrainian. She is the Co-Founder & CEO at Moeco and WTech Berlin curator.

US, UK and EU blame Russia for ‘unacceptable’ Viasat cyberattack

The U.S, U.K, and EU have formally blamed the Russian government for the February cyberattack against satellite communications provider Viasat, which triggered outages across central and eastern Europe hours before Russia launched its invasion of Ukraine.

“The European Union and its member states, together with its international partners, strongly condemn the malicious cyber activity conducted by the Russian Federation against Ukraine, which targeted the satellite KA-SAT network, operated by Viasat,” the EU said in the joint statement attributing the attack to Russia.

While the primary target of the attack is believed to have been the Ukrainian military, which relies heavily on satellite communications, the February 24 attack also impacted internet service for thousands of Viasat customers in Ukraine and tens of thousands of customers across Europe. The attack also disconnected remote access to about 5,800 wind turbines across Germany as they relied on Viasat routers for remote monitoring and control.

The attack on Viasat’s network has not yet been fully resolved months later. Viasat says the cyberattack also damaged tens of thousands of terminals that cannot be repaired and said in its most recent analysis of the incident that it had so far shipped almost 30,000 routers to customers in an effort to bring them back online.

“This unacceptable cyberattack is yet another example of Russia’s continued pattern of irresponsible behavior in cyberspace, which also formed an integral part of its illegal and unjustified invasion of Ukraine,” the EU continued, adding that the bloc is “considering further steps to prevent, discourage, deter and respond to such malicious behavior.”

In its own statement, the UK’s National Cyber Security Centre said Russia’s military intelligence was “almost certainly” behind the defacements of Ukrainian government websites in January and the deployment of Whispergate destructive malware prior to the invasion.

The formal attribution of the Viasat cyberattack comes weeks after SentinelOne researchers said the incident was likely the result of a new strain of Russian wiper malware called “AcidRain” that was designed to remotely erase vulnerable modems. Viasat confirmed to TechCrunch that the findings were “consistent” with its own analysis of the attack.

SentinelLabs noted similarities between AcidRain and the VPNFilter malware, which the FBI in 2018 attributed to Russian military intelligence, known as “Fancy Bear” — or APT28 — hacking group. More recently, the U.S. National Security Agency and CISA tied the activity to Sandworm, which has been accused of a five-year spree of attacks including the destructive NotPetya cyberattack that targeted hundreds of firms and hospitals worldwide. Both APT28 and Sandworm have been linked to Russia’s military intelligence agency, the GRU.

Ukraine disrupts attempt by Russian hackers to take down energy provider

The Computer Emergency Response Team of Ukraine (CERT-UA) has disrupted an attempt by Sandworm, a hacking group known to work for Russia’s military intelligence, to take down a Ukrainian energy provider. 

The Russia-backed hacking group attempted to disconnect the unnamed provider’s electrical substations using a new version of the infamous Industroyer malware, CERT-UA said in a security advisory on Tuesday. Industroyer was used by the Sandworm APT group to cut power in Ukraine in 2016, which left hundreds of thousands of customers without electricity two days before Christmas.

Researchers at cybersecurity company ESET, which collaborated with CERT-UA to analyze and remediate the attack, said they assess “with high confidence” that the industrial control system (ICS) malware was built using the source code of the malware deployed in 2016, which it branded at the time as “the biggest threat to industrial control systems since Stuxnet“.

The new variant, dubbed ‘Industroyer2’ by the researchers, was deployed by the hackers in an attempt to cause damage to high voltage power substations. It was used alongside CaddyWiper — destructive wiper malware first observed targeting a Ukrainian bank in March —  which was planted on systems running Windows in an attempt to erase traces of the attack. The attackers also targeted the organization’s Linux servers using other variants of wiper malware dubbed Orcshred, Soloshred, and Awfulshred. 

The attackers breached the energy provider’s network “no later than February 22,” according to the security advisory, and had planned to cut power in a Ukrainian region on April 8.  However, CERT-UA says that “the implementation of [Sandworm’s] malicious plan has so far been prevented.” ESET said that it does not yet know how attackers compromised the victim, nor how they moved from the IT network to the ICS network.

“Ukraine is once again at the center of cyberattacks targeting its critical infrastructure (KRITIS). This new Industroyer campaign follows multiple waves of wipers targeting various sectors in Ukraine,” ESET said in its technical analysis of the attack. “We will continue to monitor the threat landscape to protect organizations from these types of destructive attacks.”

This successful disruption comes just days after the FBI disclosed that it carried out an operation in March to target a massive Sandworm-linked botnet control that targeted Asus and WatchGuard devices. The botnet, named Cyclops Blink, is believed to be the successor to VPNFilter, which infected thousands of home and small business routers and network devices worldwide.

The Sandworm hacking group has also been linked to the recent cyberattack targeting U.S. satellite communications provider Viasat, which triggered satellite service outages across central and eastern Europe.

Microsoft seizes domains used by Russian spies to target Ukraine

Microsoft has successfully seized domains used by APT28, a state-sponsored group operated by Russian military intelligence, to target institutions in Ukraine.

The tech giant said in a blog post on Thursday that Strontium — Microsoft’s moniker for APT28 or “Fancy Bear,” a hacking group linked to Russia’s GRU — used the domains to target multiple Ukrainian institutions, including media organizations, as well government institutions and think tanks involved in foreign policy in the U.S. and Europe.

“We believe Strontium was attempting to establish long-term access to the systems of its targets, provide tactical support for the physical invasion and exfiltrate sensitive information,” said Tom Burt, Microsoft’s vice president for customer security.

Microsoft says it obtained a court order on April 6 that authorized the company to take control of seven domains APT28 was using to carry out its cyberattacks. “We have since re-directed these domains to a sinkhole controlled by Microsoft, enabling us to mitigate Strontium’s current use of these domains and enable victim notifications,” Burt added. “We have notified Ukraine’s government about the activity we detected and the action we’ve taken.”

This action is part of a wider Microsoft investigation into the Russian state-sponsored hacking group that started back in 2016. Microsoft has obtained several court decisions in recent years to seize infrastructure being used by APT28. To date, Microsoft has filed 15 other cases against the Russian-backed threat group, leading to the seizure of more than 100 malicious domains controlled by the Russian spies.

The Russia-backed hacker group has been active since at least 2009, targeting predominantly media, military, security organizations and governments worldwide, including a 2015 hack of the German federal parliament and an attack against the Democratic National Committee in 2016.

APT28 has also been linked to the recent cyberattack on U.S. satellite communications provider Viasat, an incident that triggered satellite service outages across central and eastern Europe. A recent SentinelOne report said the attack was likely the result of destructive wiper malware that shares similarities with the VPNFilter malware, which infected thousands of home and small business routers and network devices worldwide. In 2018, the FBI attributed the VPNFilter operation to APT28.

Microsoft’s Burt said that APT28’s attacks “are just a small part of the activity we have seen in Ukraine,” adding that the company has “observed nearly all of Russia’s nation-state actors engaged in the ongoing full-scale offensive against Ukraine’s government and critical infrastructure.”

Microsoft’s domain seizures land just days after the FBI said it has taken down a massive botnet also run by the GRU.

Read more:

Viasat cyberattack blamed on Russian wiper malware

The recent cyberattack on U.S. satellite communications provider Viasat, an incident that triggered satellite service outages across central and eastern Europe, was likely the result of destructive wiper malware, according to newly published security research.

Details about the cyberattack, which rendered Viasat’s KA-SAT network inoperable since February 24 — the day of the Russian invasion of Ukraine — have so far been light. The attack, which also disconnected remote access to about 5,800 wind turbines across Germany, was originally believed to be the result of a distributed denial of service attack, but SentinelLabs researchers now believe it was the result of a new strain of wiper malware called “AcidRain” that was designed to remotely erase vulnerable modems and routers.

AcidRain was discovered by SentinelLabs researchers on March 15 after it was uploaded to VirusTotal from a user in Italy with the name “ukrop,” which the researchers say could be shorthand for “Ukraine operation.” The wiper’s functionality is described as “generic” by the researchers, in that it performs an in-depth wipe of the filesystem and various known storage device files, before attempting to destroy the data. Once the wiping processes are complete, the device is rebooted and ultimately rendered inoperable.

“AcidRain’s functionality is relatively straightforward and takes a bruteforce attempt that possibly signifies that the attackers were either unfamiliar with the particulars of the target firmware or wanted the tool to remain generic and reusable,” said SentinelLabs researchers Juan Andres Guerrero-Saade and Max van Amerongen.

While the identity of the attackers remains unknown, SentinelLabs has noted similarities between AcidRain and the VPNFilter malware, which infected thousands of home and small business routers and network devices worldwide. In 2018, the FBI attributed the VPNFilter operation to the Russian-backed “Fancy Bear” — or APT28 — hacking group, and more recently, the NSA and CISA tied it to Sandworm, which has been accused of a five-year spree of attacks, including the destructive NotPetya cyberattack that targeted hundreds of firms and hospitals worldwide and cyberattacks that took down part of the Ukrainian power grid. Both APT28 and Sandworm have been linked to Russia’s military intelligence agency, the GRU.

The researchers note that while it “cannot definitively” tie AcidRain to VPNFilter, or the larger Sandworm threat cluster, it notes “a medium-confidence assessment of non-trivial developmental similarities between their components.”

AcidRain is believed to be the seventh strain of wiper malware to target Ukraine since the onset of Russia’s invasion, the researcher said.

TechCrunch contacted Viasat for comment but has not yet received a response.

Viasat said on Wednesday in its first incident response report regarding the February cyberattack that the unnamed attackers exploited a misconfigured VPN appliance to gain remote access to the “trusted management” segment of the KA-SAT network, before using their access to “execute legitimate, targeted management commands on a large number of residential modems simultaneously.”

Viasat goes on to add that “these destructive commands overwrote key data in flash memory on the modems, rendering the modems unable to access the network, but not permanently unusable.”

SentineLabs notes in its report that it remains unclear how legitimate commands could have such a disruptive effect on the modems. “Despite Viasat’s statement claiming that there was no supply-chain attack or use of malicious code on the affected routers, we posit the more plausible hypothesis that the attackers deployed AcidRain (and perhaps other binaries and scripts) to these devices in order to conduct their operation,” Guerrero-Saade and van Amerongen concluded.

Since the February attack, which Viasat says impacted several thousand customers located in Ukraine and tens of thousands of customers across Europe, the company has shipped almost 30,000 modems to distributors to bring customers back online. The outage has not yet been fully resolved, and CISA and the FBI have warned that US satellites could be the next target.

Tech talent flees Russia as Western sanctions bite

Russia is seeing an exodus of entrepreneurs, computer programmers, as well as other educated middle-class citizens as Western sanctions and political instability make it impossible to run an international business in the country.

Russia’s invasion of Ukraine has forced millions to flee their homes fearing for their lives. But the war is also leading to Russians moving from their home country. I spoke to a number of Russian entrepreneurs and venture capitalists who shared why they have left or are in the process of leaving their homeland. But as they try to start anew abroad, anti-Russia sentiment and economic sanctions are set to haunt them.

The triggers

As Russia continued to amass troops at the Ukrainian border in mid-February, Eugene Konash, who had staff in Russia working remotely for his London-based gaming studio Dc1ab, became increasingly worried. But like many others, he didn’t expect a full-scale invasion.

His hopes of tensions fading soon evaporated. When it became clear Russia was waging a full-on war on Ukraine, Western countries began slapping sanctions on Russia. Businesses felt the impact right away.

One of Konash’s employees found their bank hit by sanctions, blocking international transfers to his account. As the rouble collapsed, long queues formed outside banks in Russia as citizens scrambled to convert their savings into dollars — only to find hefty fees and the government restricting access to foreign currency.

The tipping point for Konash came when investors told him in no uncertain terms that his startup would be uninvestable if it continued to have such a heavy presence in Russia. His Russia-based team agreed it was time to leave.

“The guys that even a month ago said they wouldn’t leave Russia under any circumstances were talking about grabbing their things and literally driving to Kazakhstan to cross the land border because the tickets to get out were either sold out or were super expensive,” said Konash.

Like many tech firms with an international footprint, Konash’s gaming startup hires developers across Eastern Europe for the region’s affordable and quality programmers. Originally from Belarus, Konash knows well that the former Soviet bloc nations’ emphasis on science and math education has helped a world-class engineering and scientific workforce to flourish.

Financial sanctions aside, it became impractical to operate an information technology company from Russia as foreign tech services are either banned or begin to retreat.

Google and Microsoft have suspended all sales in the country, while Russia has attempted to block Facebook, Instagram, and Twitter, albeit with mixed results. Some users could still access these American platforms following the bans, suggesting that Russia may be some way away from having a robust censorship machine like that of China. Facebook and Twitter said they were working to restore services in Russia.

“Who knows when development tools like Unity may be blocked?” said a Siberia-born gaming investor who left the country following the 2015 Crimea annexation and subsequent economic sanctions by the West. “No one wants to end up in a country with no access to the outside world.”

The investor declined to be named fearing the Russian government’s crackdown on dissenters.

Half foot out

After the invasion of Crimea seven years ago, many Russian-built companies began to incorporate elsewhere in a bid to placate investors with qualms over the political risks and optics associated with backing Russian companies. Before, many of these firms were operating outside the country merely on paper, with their teams often entirely still based in Russia. But the full-scale invasion of Ukraine has turned a trickle into a flow.

“After 2015, companies were drifting out of Russia legally,” observed an investor at a venture capital firm that recently moved its Moscow team out of the country. Even before the Ukraine crisis, the firm would only back a Russia-based startup if it was incorporated outside the country and had an international focus.

“Physically, these startups would still be based in Russia. They’d conduct R&D there because the cost of living was low,” said the investor, who asked for anonymity because the topic is “highly sensitive” for the firm, which has been trying to distance itself from Russia.

Life as a startup incorporated overseas but operating for all intents and purposes in Moscow itself sounded pretty breezy up until recently, said Nikita Blanc, who four years ago changed his last name from Akimov. His company Heyeveryone, which is building a tool to automate investor relations management, is in the process of incorporating in Delaware.

Nikita Blanc’s team working in Moscow before leaving the country following Russia’s invasion of Ukraine

The startup never intended to serve the Russian market alone, but Blanc and his wife picked Moscow as a base for the obvious perks: their parents could help take care of their three-year-old daughter; the country’s internet was speedy, cheap, and free at the time; and Moscow was teeming with tech meetups where Blanc found like-minded founders.

The escape

The Blancs’ entrepreneurial life enjoying the best of both worlds ended abruptly with Russia’s attack on Ukraine. Three days into the invasion, Nikita’s wife Valentina was lying in bed, devastated from seeing her country fall apart. She decided it was time to leave.

“I couldn’t do anything at work. Part of my family is from Ukraine,” she said. “It would be hard to leave with a child, but I didn’t think the situation would change. So we each packed 23 kilos of luggage and bought a one-way ticket.”

The couple moved with their young daughter to Georgia, one of the top destinations for Russia’s current talent outflow. It is a popular choice of country, along with Turkey, Armenia, Kazakhstan and Thailand, which are relatively affordable and easy to enter for Russians.

The venture fund that recently left Moscow has been extracting hundreds of Russian citizens, mostly its own staff and portfolio companies, out of the country in the past few weeks. Across the internet, Telegram groups with tens of thousands of Russians discussing exit plans and helping each other out have mushroomed.

‘We Russians are fucked’

The would-be émigrés have to make escape plans on the fly as sanctions against Russia intensify on a daily basis: Which countries are still taking Russian flights, and how will they move money around?

Sanctions continue to impact Russians after they have fled abroad and even those who left long ago. Notable financial infrastructure providers like PayPal, Mastercard and Visa have already suspended operations in Russia, which means expatriates using Russian banks are not able to use their cards overseas. Estonia recently suspended e-residency applications from Russian and Belarusian citizens to “prevent sanctions evasion and possible illegal activities.” European Union regulators have reportedly told some banks to scrutinize transactions by all Russian clients, including EU residents.

The breadth of this wave of sanctions is prompting some to let go of their Russian passports. The Siberia-born gaming investor is seeking Singaporean citizenship, fearing that their Russian nationality might cut them off from the US dollar-based financial system.

“Ukrainians are accepted as refugees around the world, but we Russians are fucked,” the investor lamented.

Others are betting that cryptocurrency can help them circumvent sanctions, such as the Blancs, who put a large chunk of their assets into crypto five years ago. Konash, the gaming entrepreneur, expected Bitcoin and Ethereum to be the last resort for cross-border payments if his staff get stuck in Russia for any longer.

While major exchanges like Binance and Coinbase have stopped short at imposing blanket bans on all Russians, they have abided by sanctions to block target individuals. Binance’s CEO maintained that crypto is not a likely escape route because transactions are recorded on publicly available ledgers, and hence easy for governments to trace.

But EU regulators continue to argue that sanctions imposed on Russia and Belarus extend to all crypto assets, and US lawmakers have urged the Treasury to ensure Russia cannot use crypto to evade sanctions.

‘Calm is the new currency’

Those who leave Russia face the obvious difficulty of being away from family and friends staying behind, but even greater anguish comes from the difference in their perception of recent events.

“Our parents and older relatives keep telling us to go back, saying ‘everything is okay here. Russia is great,'” Blanc said with an incredulous but sad note.

These educated, freedom-seeking Russian tech workers won’t likely look back. The Russians I spoke to, who are either leaving the country or helping others escape, were surprisingly calm as they recounted the woes of their country, in part because they have been mentally prepared for the inevitable farewell.

“Our investor SOSV taught us to be like cockroaches, be flexible and adapt to new environments as entrepreneurs. This philosophy is now helping us go through these uncertain times,” said Valentina Blanc. “Calm is the new currency.”

Émigrés like the Blancs might well be the last wave of Russia’s chronic brain drain, stretching back decades.

“The thing that gets me is that if you look at all the fantastic engineering and scientific talent that was produced in the Soviet Union and Russia — most of it has been leaving the USSR world at every opportunity,” said Konash.

“Who does that leave in the post-USSR world? For me, this last wave of the brain-drain is the death knell of the education and cultural scientific tradition that is probably one the few positive things to come out of the Soviet Union.”

Google discovers threat actor working as an ‘initial access broker’ for Conti ransomware hackers

Google’s Threat Analysis Group has observed a financially-motivated threat actor working as an intermediary for the Russian hackers, including the Conti ransomware gang.

The group, which Google refers to as “Exotic Lily,” acts as an initial access broker, finding vulnerable organizations and selling access to their networks to the highest bidder. By contracting out the initial access to a victim’s network, ransomware gangs like Conti can focus on the execution phase of an attack.

In the case of Exotic Lily, this initial access was gained through email campaigns, in which the group masqueraded as legitimate organizations and employees through the use of domain and identity spoofing. In the majority of cases, a spoofed domain was nearly identical to the real domain name of an existing organization, but changed the top-level domains to “.us,” “.co” or “.biz.” In order to appear as legitimate employees, Exotic Lily set up social media profiles and AI-generated images of human faces.

The attackers, which Google believes are operating from Central or Eastern Europe due to the threat actors’ working hours, would then send spear-phishing emails under the pretext of a business proposal, before ultimately uploading a payload to a public file-sharing service such as WeTransfer or Microsoft OneDrive.

“This level of human interaction is rather unusual for cybercrime groups focused on mass-scale operations,” notes Google researchers Vlad Stolyarov and Benoit Sevens in a blog post shared with TechCrunch before publication.

These malicious payloads initially took the form of documents containing an exploit for a zero-day in Microsoft’s MSHTML browser engine (tracked as CVE-2021-40444), before the attackers switched to the delivery of ISO disk images containing hidden BazarLoader payloads. Google researchers say this shift confirms Exotic Lily’s relationship with a Russian cybercrime group tracked as Wizard Spider (also known as UNC1878), which is linked to the notorious Ryuk ransomware that has been used to target businesses, hospitals — including U.S-based Universal Health Services — and government institutions since 2018.

While the nature of this relationship remains unclear, Google says that Exotic Lily appears to operate as a separate entity, focusing on acquiring initial access through email campaigns, with follow-up activities that include deployment of Conti and Diavol ransomware.

Exotic Lily, which was first observed in September 2021 and is still active today, was sending more than 5,000 phishing emails a day to as many as 650 organizations during the peak of its activity, Google said. While the group initially seemed to be targeting specific industries such as IT, cybersecurity and healthcare, it has more recently begun attacking a wide variety of organizations and industries, with less of a specific focus.

Google has also shared indicators of compromise (IOCs) from Exotic Lily’s large-scale email campaign to help organizations defend their networks.

The future of the crypto web (and this newsletter)

Hello readers, and welcome back to Week in Review!

Last week, I talked about the environmental impacts of crypto with Kimbal Musk, early Tesla investor and brother of Elon. This week, I’m talking a bit about myself, this newsletter and the future of the web.

If someone forwarded you this message, you can get this in your inbox from the newsletter page, and follow my tweets @lucasmtny.

the big thing

I’ve got a secret to tease that I’ve been sitting on for a few months and am thrilled to share.

Later this month, I’ll be sending out the first edition of Chain Reaction, my new TechCrunch newsletter focused on crypto, web3 and the metaverse, with all of its opportunities, hype, scams and controversy. The extra-exciting part about this weekly newsletter is that there will be a weekly podcast attached to it, co-hosted by me and my fellow TechCrunch crypto enthusiast Anita Ramaswamy. We’ll discuss the hot news, trends and crypto drama while interviewing high-profile investors, entrepreneurs and skeptics.

You can pre-subscribe to Chain Reaction on our TechCrunch newsletter page.

Now, the sad part.

A couple weeks after the newsletter launches I will be stepping aside from writing Week in Review and I’ll be handing the reins over to my more than capable colleague Greg Kumparak, who has done a killer job taking over this newsletter when I’ve been out over the years. I’ve loved sending out this newsletter every weekend; it’s always given me a chance to clear my brain, reflect on the state of the tech industry and voice my opinions on where it’s headed.

I increasingly feel like the future of the tech industry will be embracing an internet with more complex economic models attached to its platforms, ones which can do good and bad things for consumers but should ultimately open up the web and give users more agency in how big platforms operate. The future, as cleanly imagined by tech’s founders and investors, is rarely the one we find ourselves living in, but that future is also infrequently what tech’s naysayers predict.

The backlash to crypto over the past year has been interesting to witness. Viral YouTube videos and tweets paint a crushing portrait of tokens and NFTs with phrases like Ponzi schemes, money laundering, fraud and scams, and there is certainly much of that to be found. But the reality is that many consumers are simply discovering through NFTs and crypto that high finance and the concept of economic value are not the wholly rational institutions they had once imagined them to be.

The idea of spending millions of dollars to own a link to an image file in a distributed database should appear wholly non-sensical to most, but if that prospect seems reasonable to enough buyers, then its value is a product of the owners’ collective delusions — but much of the modern economy is built around these same delusions. Getting access to this uncomfortable realization is a gift in and of itself, but there are constructive and destructive places to take it.

The criticism I find more philosophically concerning is that tokens and NFTs rein in the possibilities of a boundless and unfettered web. Gamers are particularly pissed about the idea of digital scarcity and hyper-capitalism finding its way into fantasy. No one can have it all on an internet where some element of the experience is gated from users based on their economic class in the real world. It’s a conversation that’s particularly concerning as massive companies like Meta begin talking about the idea of the metaverse so earnestly.

The crypto space has a couple trillion dollars tied up in it at this point, but the remarkable thing is just how transitory it all feels. It’s part of the reason that highlighting informed criticism is so worthwhile right now, because the industry can still change.

The informed middle ground is a space where there’s not much critical discourse happening on a regular basis. Most existing newsletters or podcasts are from institutional players or retail investors with projects to shill and disclosures to ignore. Meanwhile, the bulk of tech media critiques seem to be from folks who cover several things and are frankly less incentivized to spend the time tirelessly dissecting a confusing industry.

I’ve been at TechCrunch for nearly seven years. During that time I’ve worn many hats, having been the go-to reporter for topics like gaming, artificial intelligence and virtual reality. Over the past year, I’ve devoted the bulk of my time to understanding what’s going on in the crypto world. I’ve dialed up investors, chatted with founders, played around with the platforms myself and spent an awful lot of time on Twitter and Discord. What I’ve found is a multi-faceted industry with a high barrier to even understanding the basics. I want Chain Reaction to serve as a place where readers and listeners can dial in and learn alongside me as I talk with stakeholders and skeptics and try to get to the heart of where this all is headed.

All that to say, please subscribe and join me on this journey!

other things

Here are a few stories this week I think you should take a closer look at:

Russia plans to block Facebook
There’s a new kind of iron curtain going up between Russia and the West, as sanctions intensify, internet platforms grow more emboldened and the Russian government gets more defensive. After announcing last week that they would limit Facebook’s service due to the platform’s restrictions on state media, Russia has changed course and announced that they plan to outright ban the service.

How Ukraine is spending crypto donations
There’s been a lot of chatter around how crypto could help wealthy Russians evade sanctions, but Ukraine’s government is also using crypto to find aid and raise funds. My colleague Romain dove into the topic of how Ukraine was spending these funds and found a lot of unanswered questions.

An interview with Ukraine’s head of IT
TechCrunch has aimed to cover every angle of how the Ukraine invasion not only impacts the tech industry across the globe but inside Eastern Europe. This week, we caught up with Ukraine’s deputy minister for Digital Transformation, Oleksandr (Alex) Bornyakov, who discussed the country’s digital strategy moving forward.

3d illustration of white toy unicorn and financial graph

added things

Some of my favorite reads from our TechCrunch+ subscription service this week:

It’s pivot season for early-stage startups
“Late-stage tech startups are facing a changing public market environment, but their early-stage counterparts are in a different world altogether. The cohort has had access to ample capital in recent quarters, giving them a bubble of venture capital that somewhat protects them from rapid changes in the greater economy…”

Just how wrong were those SPAC projections?
“…Why are companies that went public via SPACs struggling so much? Did they catch a headwind from changing market conditions that previously helped push them forward? You bet….

As war escalates, it’s ‘shields up’ for the cybersecurity industry
“…As a result of the heightened likelihood of cyberthreat from Russian malactor groups, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an unprecedented warning recommending that ‘all organizations — regardless of size — adopt a heightened posture when it comes to cybersecurity and protecting their most critical assets.’…”

If you’re reading this on TechCrunch you can subscribe to Week in Review (and Chain Reaction!) in your inbox from the newsletter page, and follow my tweets @lucasmtny.