Microsoft Threat Intelligence has identified a new strain of self-propagating malware that spreads through USB drives, monitors the Windows clipboard for cryptocurrency wallet addresses and seed phrases, and routes all stolen data through a portable Tor client to avoid detection. The campaign has been active since at least February 2026, according to Microsoft’s analysis published this week.

The malware, which Microsoft detects as Trojan:Win32/CryptoBandits.A, works as a classic USB worm with a modern payload. When a user plugs in an infected drive, they see what appear to be their usual document files. The originals have been hidden, replaced by Windows shortcut (.lnk) files bearing the same names that silently execute the malware when opened.

The .lnk files scan the drive for documents with .doc, .xlsx, and .pdf extensions, hide the originals, and create matching shortcut files in their place. The worm component also writes itself to any new USB drive connected to an infected machine, allowing it to spread further without user action beyond opening what looks like a normal file.

The 💜 of EU tech

The latest rumblings from the EU tech scene, a story from our wise ol’ founder Boris, and some questionable AI art. It’s free, every week, in your inbox. Sign up now!

Once running on a system, the malware deploys a portable Tor client renamed ugate.exe and configures a SOCKS5 proxy on localhost port 9050. All command-and-control traffic then routes through Tor’s .onion network, making it significantly harder for corporate firewalls and security tools to intercept or trace the communications. The C2 infrastructure uses three endpoint paths: /route.php for check-ins, /recvf.php for uploading stolen files, and /stub.php for downloading additional payloads.

The clipboard monitoring is the malware’s primary theft mechanism. It checks the Windows clipboard approximately every 500 milliseconds, looking for patterns that match cryptocurrency wallet addresses or recovery phrases. When it detects a match, it silently replaces the copied address with one controlled by the attacker, so the victim unknowingly sends funds to the wrong wallet.

The malware targets six cryptocurrencies across multiple address formats. For Bitcoin, it recognises legacy addresses starting with “1,” Pay-to-Script-Hash addresses starting with “3,” native SegWit addresses starting with “bc1q,” and Taproot addresses starting with “bc1p.” It also targets Tron addresses beginning with “T” and Monero addresses beginning with “4” or “8.” Clipboard hijacking for cryptocurrency theft is not limited to Windows, with Android trojans like Rokarolla using the same technique to redirect crypto payments on mobile devices.

Beyond wallet addresses, the malware scans clipboard content for BIP39 seed phrases, the 12- or 24-word recovery keys that grant full access to a cryptocurrency wallet. It also extracts Ethereum private keys and Bitcoin Wallet Import Format (WIF) keys. Capturing a seed phrase or private key gives attackers complete control over the associated wallet, not just the ability to redirect a single transaction.

The malware includes a surveillance module that captures five screenshots over a ten-second interval, packaging them for upload to the C2 server. This gives the operators a visual record of what the victim was doing at the time of infection, potentially revealing additional credentials, open browser tabs, or financial dashboards.

A command called EVAL allows the C2 operators to push and execute arbitrary code on infected machines, turning the cryptocurrency stealer into a general-purpose remote access tool. Microsoft notes this capability means the threat actors can adapt the malware’s behaviour after deployment without needing to reinfect the target.

The malware employs multiple layers of evasion. The initial installer is a Python-based executable obfuscated with PyArmor and packaged with PyInstaller, making static analysis difficult. The JavaScript payloads dropped to C:\Users\Public\Documents use a separate dual-layer obfuscation scheme.

As an anti-analysis measure, the malware checks whether Task Manager is running and exits if it detects the process, a basic but effective way to frustrate casual investigation.

The use of Tor for C2 communications reflects a broader shift in malware infrastructure toward anonymisation networks that resist takedown efforts. Traditional malware that relies on fixed domains or IP addresses can be disrupted when defenders seize those assets. Tor-based C2 channels are substantially harder to shut down because the .onion addresses are not tied to any registrar or hosting provider that can be compelled to act.

Microsoft recommends several mitigations, starting with disabling AutoRun and AutoPlay to prevent automatic execution when USB drives are connected. Group Policy can be configured to block .lnk files from running on removable media, and restricting wscript.exe and cscript.exe through application control policies prevents the JavaScript-based payloads from executing.

Network monitoring for connections to localhost port 9050 can flag machines where the portable Tor client has been installed.

USB-borne malware had largely fallen out of the security spotlight as cloud storage and collaboration tools reduced reliance on physical drives. But supply chain and trust-exploitation attacks remain effective precisely because they target behaviours users consider routine, whether that is plugging in a USB drive or installing a package from a familiar repository.

Microsoft published SHA-256 indicators of compromise, MITRE ATT&CK technique mappings, and KQL hunting queries in its blog post to help security teams detect existing infections. The company says Microsoft Defender detects the malware family, and its Defender Experts team assisted in the investigation. Microsoft did not attribute the campaign to a specific threat actor or estimate the number of infections.

Deductive AI, a startup that uses AI to catch and resolve bugs in software, has agreed to be sold to enterprise software company Elastic for up to $85 million, according to a person with knowledge of the deal.

Deductive, which was founded in 2023, came out stealth last November when it announced a $7.5 million seed round led by CRV with participation from Databricks Ventures, Thomvest Ventures, and PrimeSet. The investment valued the startup at $33 million, according to PitchBook.

Elastic and Deductive did not respond to multiple requests for comment. TechCrunch will update this article if either company responds.

The sale marks a speedy exit for Deductive, which is operating in a fast-growing sector known as AI site reliability engineering (AI SRE). Building AI-powered SRE tools has become an important area, driven by the massive influx of AI-written code. Replacing manual debugging with AI enables human SREs to shift focus from constantly fixing outages and other problems to spending more time on helping with product development.

The acquisition reflects a broader trend in which established tech incumbents are looking to buy AI-native startups to integrate agentic technologies into their existing product suites, the source told TechCrunch.

Elastic, which went public in 2018, is best known for Elasticsearch, the search and analytics engine that helps organizations store, search, analyze, and monitor large amounts of data in near real time.

The company’s observability software — essentially tools that let engineers monitor software systems and detect security threats — could benefit from Deductive’s tech. According to the source, integrating Deductive’s AI technology into Elastic will enhance its observability platform by giving customers tools to automatically monitor performance and resolve system failures in real time.

Deductive was co-founded by Rakesh Kothari, who was previously VP of engineering at Lightspeed-backed business analytics startup ThoughtSpot, and Sameer Agarwal, who formerly worked at Apache Software Foundation and Meta. Agrawal was one of the founding engineers at Databricks.  

While Deductive reached roughly $1 million in annual recurring revenue (ARR,) according to the source, the startup’s growth lagged behind Resolve AI, one of the sectors’ perceived early winners. The two-year-old Resolve was co-founded by former Splunk executive Spiros Xanthos and Mayank Agarwal. The Greylock and Lightspeed-backed startup was last valued at $1.5 billion when it raised a $40 million Series A extension in April.

Apple TV will stream an entire Formula 1 race weekend free to U.S. viewers for the first time, opening every Austrian Grand Prix session to fans without a subscription.

Viewers in the United States will be able to watch all Formula 1 Austrian Grand Prix sessions live through Apple TV at no cost. The free access runs from June 26 through June 28 and includes every on-track session, from practice and qualifying to Sunday’s Grand Prix.

The schedule begins with Practice 1 at 7:30 a.m. Eastern on June 26, followed by Practice 2 at 11 a.m. Practice 3 starts at 6:30 a.m. on June 27, with qualifying at 10 a.m. The Austrian Grand Prix is scheduled to begin at 9 a.m. Eastern on June 28.

Apple said the Austrian Grand Prix marks the first time it has made an entire Formula 1 race weekend available free to viewers in the United States. The company has offered free sports programming before, but this promotion includes every Formula 1 session across a race weekend rather than a single event.

Opening every Formula 1 session to non-subscribers gives fans a chance to follow the entire race weekend, not just Sunday’s Grand Prix. Practice sessions shape car setups and race strategy, while qualifying determines the starting grid.

Why Apple is opening a Formula 1 weekend for free

The promotion arrives as Formula 1 continues to draw a larger audience in the United States. Following a full race weekend typically requires access to paid television or streaming services.

The Austrian Grand Prix gives casual viewers a chance to watch every session without paying for access.

The free weekend also gives Apple a chance to put Apple TV in front of viewers who may not regularly use the platform. Fans can follow the weekend from practice through qualifying and the Grand Prix itself.

Apple hasn’t said whether similar free Formula 1 weekends will follow. For now, the Austrian Grand Prix is Apple’s first effort to make an entire Formula 1 race weekend available free to U.S. viewers.

On June 11, Kalshi released a buzzy ad featuring noted New York Knicks fan Timothée Chalamet. It was a zeitgeist-capturing moment for prediction markets, akin to the 2022 Super Bowl, when seemingly every commercial featured a celebrity shilling crypto.

Yet when I brought Chalamet’s spot up with attendees at Manifest, a recent festival for prediction markets, I was mostly met with blank stares. These conference goers—a mix of academics, startup founders, job seekers, and players in the markets—hadn’t even heard about it. They were too busy thinking about the bigger picture and the risks facing markets.

Their confusion was the perfect encapsulation of a battle that I observed again and again that weekend: The way forecasting philosophers see the markets (tools for the greater good) is very different from how the vast majority of the world sees them (a way to bet on sports).

“We were all waiting for so long to be in the world we’re in now,” Dan Schwarz, the cofounder and chief executive officer of FutureSearch, an artificial intelligence research and prediction startup, tells me. But the platforms have run into problems, from insider trading to sports contracts that, Schwarz worries, are fueling addiction. To outweigh these harms, “prediction markets would have to deliver a lot more value than they are now.”

The prognosticators, it turns out, are concerned that the very thing that’s made prediction markets a global phenomenon could be their undoing.

This year’s iteration of Manifest took place at Lighthaven, an idyllic compound in Berkeley, California. The campus, which takes up about half a city block, also functions as the epicenter of the rationalist movement, which, among other things, prioritizes the safe development of AI and effective altruism.

The vibe skewed heavily male but was still eclectic. Clusters of twenty- and thirty-somethings huddled over laptops in the Tudor-style main house, and someone told me I looked like a guy who would have a stick of gum. Talks about markets jostled for attention alongside sessions about the odds that AI will kill us all and lessons on how to optimize your sex life. There was a furry meetup and watch parties for the first US World Cup match and game 5 of the NBA Finals. (I couldn’t find anyone who had put money on either event, though a few attendees told me they knew of folks who had made bank.) There were markets on play-money platform Manifold about the festival itself, like whether someone would break a bone (still unresolved) and whether Caroline Ellison would show up (yes).

Still, the broader background conditions were wildly different from previous years. Though Kalshi and Polymarket had sponsored the event in past years, they were AWOL this year. Both companies declined to comment on the change. Last year, Kalshi held a session on sports markets, which it had launched just six months earlier. This year, the companies are facilitating billions of dollars in sports trades during an especially friendly political era at the national level.

Sports were also conspicuously absent during a session on strategies for mastering markets around world events and politics. I caught up with David Bensoussan, the session’s organizer, who has made $1.6 million in profits on the platform, under the boughs of one of Lighthaven’s trees.

“The truth-seeking mechanism that prediction markets can have in terms of predicting things and making the population more informed—what on Earth does that have to do with sports?” he asks, wrapped in a blanket to ward off the chill of Bay Area shade.

An average visitor is expected to spend around $5,400 in the US—far above the $720-$2,500 visitors to Qatar spent in 2022.

Transport at this year’s tournament is fundamentally different from that of the one-city tournament in Qatar, or in Russia in 2018, which provided free public transportation and an additional 500 trains to help people get around.

This year, because of the vast distances, the only option for fans and teams is flights, which airlines have been adding to accommodate potential World Cup travelers.

“Teams and fans now must factor in flights, not metro rides, and the carbon and cost implications are real,” Anagnostopoulos says.

The need to book flights, not trains or taxis, may also be decreasing demand for hotels simply because the travel costs are too high for some people. “US hotels are already reporting bookings below expectations,” Anagnostopoulos says. “Scale doesn’t guarantee the crowds will show up.”

Security

For organizers and host cities, the scale of the tournament demands a massive investment in security, including against threats that would have barely crossed the minds of previous hosts.

The US federal government has issued $625 million in grants for host cities to address security issues. On top of that, the Department of Homeland Security has made over $200 million worth of grants available to states to buy anti-drone technology, with the US State Department highlighting hostile actors’ increasing access to drones and other technology.

In Canada, federal authorities have issued around $104 million worth of grants to host cities Vancouver and Toronto. That brings total public grants in Canada and the US alone to nearly $1 billion—likely just a fraction of the real costs of securing the tournament.

The size of the tournament, and the fact that it crosses borders, has pushed the price tag higher.

“Qatar 2022 benefited from a highly compact geography, with venues operating within a relatively unified environment. The 2026 World Cup will involve multiple cities, jurisdictions, agencies, and technology ecosystems across the United States, Canada, and Mexico,” says Leo Levit, chair of Onvif, a membership body focused on standardization of physical security products.

“The challenge is not simply the number of systems involved, but whether those systems can exchange information efficiently,” he adds.

The Future of the World Cup

The numbers tell a story of a tournament straining under its own ambition. It’s not yet clear whether these investments will pay off in terms of tickets bought and advertising slots sold. Why, then, is FIFA pursuing growth at all costs?

According to Simon Chadwick, professor of sport and geopolitical economy at the international SKEMA Business School, the reason may be growing competition from other sports.

“What [FIFA president Gianni] Infantino is trying to do is to ensure that football remains robust, relevant, prominent and that it doesn’t begin losing market share—to the NBA, which is in China, India, Africa, and the Gulf region; to the NFL, which is making moves on Europe; and to Formula One, which has grown hugely in popularity, particularly in North America,” Chadwick says.

Rumor mill: According to a source familiar with the matter and proposed legislative language reviewed by Reuters, Meta has lobbied Congress to include a provision in the Kids Online Safety Act (KOSA) that would limit companies’ exposure to child safety and privacy lawsuits. The proposal would grant platforms immunity from state-level child-harm claims involving users under 18, a change that could undercut thousands of lawsuits already filed.

The proposal comes as lawmakers and courts increasingly scrutinize how social media platforms are designed and used by minors. Features such as infinite scrolling, activity notifications, and appearance-altering photo filters – key tools for driving user engagement – have become central to legal and regulatory battles over youth safety. Critics argue these features can encourage compulsive use, particularly among younger users.

KOSA directly targets those design choices. The bill would require companies to take reasonable steps to reduce risks associated with minors’ use of their platforms, including design elements that encourage prolonged engagement. In other words, the legislation focuses not only on the content users see, but also on the systems designed to keep them online.

At the same time, Meta’s liability proposal could reshape how families and schools pursue lawsuits over those features. The proposed language would make companies “immune from suit or liability under state law with respect to all claims for loss caused by, arising out of, relating to, or resulting from the safety or privacy of individuals under the age of eighteen online or otherwise related to the provisions” of KOSA. It would also override certain state laws governing children’s online protections.

Meta has framed the proposal as a way to establish consistent national standards rather than avoid accountability. Company spokesperson Stephanie Otway said the provision “does not extinguish existing lawsuits, nor does it represent blanket immunity.”

Instead, she said, it is intended to create “uniform national standards for online youth safety, ensuring these critical issues are governed by comprehensive federal legislation, not plaintiffs’ lawyers or patchwork state legislation.”

That interpretation is disputed by legal advocates. Julia Duncan of the American Association for Justice told Reuters that the language, as written, could have sweeping consequences for ongoing litigation. “The language is pretty clear-cut immunity against every parent, every school district, that is seeking to hold any AI or social media company accountable for harm” to children, Duncan said. “There is no other way to read this language.”

The legal stakes are not theoretical. Meta and Google’s YouTube are already facing thousands of lawsuits over alleged harms to minors. Earlier this year, the companies lost the first case to go to trial, resulting in a combined $6 million in damages. Both have said they plan to appeal.

Behind the scenes, the liability proposal appears tied to broader negotiations over KOSA’s future. The bill, sponsored by Senators Marsha Blackburn and Richard Blumenthal, passed the Senate in 2024 with strong bipartisan support but stalled in the House. It has since been reintroduced and is now part of discussions involving the White House, as well as other measures related to artificial intelligence and federal preemption of state laws.

A spokesperson for Blackburn said the office had not seen the specific liability language and would not support it.

According to the source, Meta has offered to drop its opposition to KOSA if the provision is included – a signal of how high the stakes have become for companies whose core products rely on engagement-driven design. For engineers and product teams, the result could reshape how they design recommendation algorithms, notifications, and interface features for users under 18.

For now, the issue remains unsettled. Lawmakers are trying to impose guardrails on the very technologies that define modern social platforms, while companies are seeking clearer – and potentially narrower – rules on how those systems can be challenged. It is not yet clear how Congress will reconcile these competing aims.

As India searches for a homegrown contender in the global artificial intelligence race, billionaire Mukesh Ambani is positioning Reliance Industries as a national champion, rolling out AI services for phone calls, mobile apps, and connected homes.

At its annual shareholder meeting on Friday, the Mumbai-based conglomerate announced Jio Call Agent, an AI assistant that can join phone calls to transcribe conversations, generate summaries, and perform tasks such as booking cabs, ordering food, and making reservations. The service, which can be activated by saying “Hey Jio,” is expected to launch later this year for Jio’s more than 500 million users.

By embedding the service directly into its telecom network rather than offering it as a stand-alone app, Jio is betting AI assistance can become a native feature of phone calls. The approach could reduce consumers’ reliance on third-party call-assistant apps and give Reliance a powerful distribution advantage in an increasingly crowded AI market.

Reliance also unveiled an AI-powered version of its MyJio app that can perform tasks on behalf of users, from activating eSIMs to selecting roaming plans, through natural-language requests. The company further introduced TeleFrame, a home display that uses AI agents to proactively surface information and recommendations, such as weather alerts, schedules, and household reminders. The product appears to echo a broader industry push toward ambient AI assistants for the home, an area being explored by companies such as Amazon and Google.

The announcements mark the next phase of Reliance’s AI ambitions as India seeks to build domestic capabilities in a field largely dominated by U.S. and Chinese technology companies. The push follows the launch of Reliance Intelligence last year, through which the conglomerate aims to develop AI infrastructure and services for consumers, businesses, and governments, including applications that support 22 Indian languages.

“India should not be a mere consumer of AI created elsewhere. It must become a creator, adopter, and a global leader in AI,” Ambani, age 69, said.

Reliance has been ramping up its AI ambitions through partnerships with Google, Meta, and Nvidia. Earlier this year, the company announced plans to invest $110 billion in AI infrastructure as it seeks to establish itself as a major player in India’s emerging AI ecosystem.

At the shareholder meeting, Reliance also unveiled a suite of AI services for healthcare, education, agriculture, and small businesses. The products, branded JioHealthIQ, JioLearnIQ, JioKrishiIQ, and AI Vyapar, are designed to operate across multiple Indian languages and cater to local needs, the company said.

The shareholder meeting also brought a major development for investors awaiting Jio’s stock market debut. Ambani said Jio Platforms’ board had approved a draft prospectus for an initial public offering that would include a fresh issue of up to 270 million shares, according to a stock exchange filing.

The announcements also raise questions about how Reliance will handle user data as it expands AI services across phone calls, mobile apps, and connected homes. While the company said the services would operate with user consent, it did not answer questions about whether data generated through the products could be used to train AI models or shared with technology partners.

Reliance’s AI ambitions come as Indian companies remain heavily reliant on foreign AI models and cloud providers. Recent restrictions on access to some of Anthropic’s latest models have underscored that dependency, showing how decisions made overseas can affect startups and businesses building AI products in India — the kind of supply-chain risk that’s pushing Indian conglomerates toward building their own stack rather than renting someone else’s.

Last week, Reliance announced a collaboration with Meta to establish an AI data center in the western state of Gujarat, building on Meta’s earlier investment in Jio Platforms and a joint venture launched last year to develop AI solutions for enterprise customers in India and overseas markets.

Reliance is not alone in pursuing AI opportunities. Tata Consultancy Services, Infosys, and rival Adani Group have also expanded their AI initiatives and partnerships with global players, including Anthropic, Google, and OpenAI, as India’s largest corporations race to secure a leading role in the country’s AI future.

Nonetheless, for Reliance, the stakes are particularly high; it’s preparing Jio for a long-awaited stock market debut and needs new growth drivers, with the conglomerate’s shares down about 17% this year.

Just as last week was ending, the US government forced Anthropic to pull its two newest models, Fable 5 and Mythos 5, citing national security concerns after Amazon researchers allegedly found a way to bypass Fable 5’s guardrails. 

Cybersecurity researchers have since signed an open letter calling the move dangerous, and Anthropic itself noted the same jailbreaks exist in other models. So is this a genuine security concern, or just the latest chapter in a messy relationship between Anthropic and the Trump administration? 

On this episode of TechCrunch’s Equity podcast, hosts Anthony Ha, Sean O’Kane, and Rebecca Bellan unpack what the ban means for developers building on Anthropic’s platform and for anyone watching the IPO, why it might accidentally be good for the company, and more of the week’s headlines. 

Subscribe to Equity on YouTube, Apple Podcasts, Overcast, Spotify and all the casts. You also can follow Equity on X and Threads, at @EquityPod.