The fall of Envestio - Some technical evidence [UPDATED]
Maybe you have already heard about the issues with the P2P lending platform Envestio. After some noticeable instability, their website went down on 21 January and it's still unavailable as of the time of publishing this blog post. That makes it more than 24 hours without an official statement of what's going on their side.
So was this an exit scam? I don't know, we'll see eventually, but it looks like such. However, I don't see a good enough community response given that around 33 million EUR is at stake and more than 13,000 investors have invested in it. There are merely 2-3 other posts regarding this.
I used to hold a small amount of money in Envestio but whether I will be able to recover even a small part of it, I can't tell. It looks like many folks are in the tens of thousands EUR range! Many of those folks think that hacker attacks are still targeting Envestio's websites according to their last statement which they posted on Facebook yesterday minutes before the website went down (21 January):
We would like to address all our clients, investors, borrowers and other counterparties with the following very important issue. We proudly declare that till present moment Envestio managed to fulfill on time and in good faith all financial obligations to all contractual investors and borrowers, despite the very unfavorable situation in the crowdfunding market, provoked by the uncertainty and potential fail of Kuetzal platform.
Simultaneously with the recent concerns within the industry, we tracked repeatedly various technical attempts targeted to influence dramatically on stability of Envestio platform. They were performed through hacker attacks on our web site and platform's internal structure and database.
At the same time, we noticed that destructive public relations campaign against Envestio has been initiated and which consisted of spreading knowingly false and unconfirmed information by numerous internet resources questioning financial stability and reliability of our platform, denigrating the reputation of the Envestio owners and key employees.
We tend to consider these attempts as a consistent and well-planned set of actions aimed to cause significant financial and reputational damage, as a result of which the Envestio platform should inevitably begin to experience substantial difficulties with current payments to its investors.
We assume that the ultimate goal of all these actions is to devalue overall Envestio's business, and the subsequent potential raider takeover of the company or an attempt to eliminate the company from the industry, getting rid of as strong competitor. The implementation of the aforementioned scenario is evidenced by a number of factors and hostile actions that occurred precisely at the moment when a serious crisis of confidence reigned in the crowdfunding market and which actually was caused by the scandal surrounding the activities of the Kuetzal platform...
This may have been true but I think they are just trying to win some time to settle things up and exit gracefully.
Sure thing, there is definitely some panic spreading in the P2P investment world following the Kuetzal scandal which failed recently. In response to this panic trend and other concerns about Envestio, people have started withdrawing their funds using the "buyback guarantee" or as later renamed "Repurchase Guarantee" for a 5% fee. This definitely puts some pressure on those platforms!
I've been watching Envestio rating on Trustpilot plummeting around the clock since yesterday when their website went offline. Even in the case should their website comes back up and going, I don't see how the platform will stay alive given that everyone will do everything possible to recover their funds. But I can't give you any investment advice, so let's look at the technical side.
Where are their websites hosted?
So let' check the DNS records for envestio.com. Simply put, DNS is the system that translates domain names such as google.com to the numerical IP address needed for locating and identifying the actual web server.
Let's see what DNSCHECKER has to show:
It's pretty clear that they are (or were) a Microsoft based company - Microsoft Azure to host their websites and emails in Office 365. But what a coincidence - I am a Microsoft Azure MVP...
So, it looks like their Web App resource was named envestio-live. Before everything else, let's look at the history of the DNS records as they may have changed something if they are in the process of migration or something...
I found a handy website called SecurityTrails and it reported the following history of their DNS records:
The website was running in Microsoft Azure since 2017 as it can be seen from the screenshot above. So in response to some of the speculations stating they were moving their infrastructure to Microsoft Azure or to some other hosting, I can say that both are false. No changes in the A record since December 2017. So they have stayed on the same App Service plan for the last 2 years.
It looks like their Web App name inside Azure has to be named "envestio-live" currently. As we can see from the historical information of the TXT records it was "p2p-develop" and it's unclear at what point it became "envestio-live". If you come from the software development world you probably know that some temporary solutions may live forever. But maybe now it's not a good time for geeky jokes...
So basically whatever is returned when accessing envestio-live.azurewebsites.net (as pointed from the TXT records) should be the same website as envestio.com.
Let's check actual Azure Web App names
So, I decided to check whether the names of their web apps were available for registration on Microsoft Azure. Note that those names should be globally unique within *.azurewebsites.net.
Wait, what? The actual Azure resources were deleted. But this must be a bug!
It turns out that it's not. I was able to create Web Apps with both of those names. So, in fact envestio-live.azurewebsites.net returns a result while I am testing it:
There were some rumors that their system was under a DDoS attack. My opinion is that if you are under such attack, you don't fight it by simply deleting your cloud resources. Furthermore Microsoft Azure networking backbone is quite immune to such attacks...
Okay, is anything on their side available?
Short answer is NO.
Another handy feature of SecurityTrails is a list of subdomains:
Guess what - I didn't succeed in accessing any of those.
Furthermore, I tried sending them yet another email. Look at what the server has responded!
So there isn't such a mailbox or alias on this domain. They may have deleted the whole Office 365 tenant and not just the mailbox, I can't be sure. But they still have their Azure Active Directory, though. They may still have a few resources left in their account such as the database alive...
It looks like they have closed/deleted their websites on Azure, their mailboxes on Office 365 and their blog which is hosted on GoDaddy does not load.
Currently the facts are:
- Their website is down for more than a day and it turns out their actual resources on Microsoft Azure are deleted on a purpose
- There is no official statement on what's happening
- Envestio is not answering any phone calls or emails
- People claim that withdrawals are still blocked
- Social media profiles of several management members were deleted
- The European Crowdfunding Network reported them to authorities after receiving multiple investor complaints
Even if they were in the unlikely case of a hacker attack, they should have found a way to communicate it with investors.
29 January 2020 - Police launches investigation into Envestio SI OÜ
31 January 2020 - Estonian police published a FAQ about Envestio and Kuetzal
2 February 2020 - GoFundMe campaign finished successfully! We start a class action lawsuit against Envestio
6 February 2020 - Arkadi Ganzin published a post full of nonsense. Arkadi, I hope you like the taste of prison food...
Back on the announcement, he and his team (is there such team?) are allegedly trying to recover from a data loss, he says:
With great regret we would like to inform that over past few weeks we were trying to recover our data center along with overall platform functionality but at the end we have not managed to do this. The critical data loss as result of a severe damage caused to our main and back up servers forces us to declare insolvency and perform further steps aimed to recover investor’s funds from the investment projects, consolidate them and then after careful and proper internal financial due diligence procedure to start repayments to our investors. This would take substantial time and a lot of efforts from our team, especially taking into consideration that some key internal data is lost irrevocably what makes the process much more complicated and slowed down.
As I previously found, it appears that Envestio has been running on Microsoft Azure, one of the leading public cloud providers. So it's not really "your data center", it's Microsoft's data center. So you are saying that you have lost a data center? Okay...
Later, he claims that main and backup servers suffered a severe damage. I can't be sure what type of server he refers to, but generally speaking in their case they would have just two types - web server and database server.
As I've previously found Envestio's website has been hosted on Azure App Service. This means that their web servers were actually managed by Mirosoft as this is a PaaS offerring. So you can't really do anything wrong here. Even as in Envestio's case, where they have deleted the website, they can restore web apps deleted in the past 30 days. But you don't simply delete your web app while trying to fix things!
When it comes to the database, I can't be sure what technology they have used to persist their data. It might be relational, non-relational (often called NoSQL) or some mixed approach. One of the popular database offerings on Azure is SQL Database. It's managed by Microsoft. The default backup retention time is 7 days. But you can even configure it so that backups are kept for up to 10 yers with SQL Database long-term retention feature. Therefore you have several options to restore your database. In this case, it's really hard to not do it right.
But even if Envestio's team didn't have enough knowledge, Arkadi should have replied to my InMail messages as I was reaching out to offer some help!
9 February 2020 - Envestio's website is still down. Sorry, that's not really an update...
I welcome you to join me in biting the bullet or as we say it in Bulgaria - "drink a glass of cold water". If there is any further information, I will try to post it here!
And guys, please, don't shoot the messenger!