YunoBlog

Blog

  • Made in the EU, Dropped on Kyiv: How European Parts Are Enabling Russia’s Winter Drone War

    It’s freezing in Tetiana Kavinova’s apartment in the eastern part of Kyiv, a sprawling expanse of residential districts locals call the Left Bank. Each night, like hundreds of other buildings in the Ukrainian capital, hers descends into icy darkness. Kavinova’s electricity and heating has not worked reliably since Russian kamikaze drones started repeatedly hitting the city’s power plants in early January. 

    This campaign against Ukraine’s energy infrastructure is Moscow’s most recent attempt to weaponize the winter cold. Over a million Ukrainians have endured weeks without power, water, or heat.

    “I wish it was evening so I could fall asleep and forget,” Kavinova says to a reporter from OCCRP’s local partner, the Kyiv Independent. “Yesterday, I was lying in bed, thinking about putting on gloves. You lie under two or three blankets and don’t get up.”

    But it’s not only Russia to blame for this man-made humanitarian crisis. Despite EU sanctions that prohibit direct exports, hundreds of components produced by European companies are still ending up in its drones.

    Among these is the Geran-2, a cheap model that can deliver its deadly payload across thousands of kilometers. Striking Ukrainian energy infrastructure and other civilian targets by the hundreds, night after night, these drones are produced at an industrial scale that requires a steady supply of foreign parts.

    By dissecting the charred remains of downed Geran-2 drones, Ukraine’s military intelligence agency has been able to map out the anatomy of this model and the components that go into it. Though some are published on the agency’s specialized website, reporters have obtained exclusive documents that provide a fuller picture of which foreign parts are enabling Russia’s campaign of winter terror. 

    The total number of components is in the hundreds, of which only a few dozen are of Russian origin. Many are produced by companies from the United States and China, but over a hundred are produced by about 20 European firms. The items include microchips, receivers, transistors, diodes, antennas, and a fuel pump.

    The European Union forbids the direct export of many of these items to Russia. But trade data obtained from the Import Genius platform shows 672 shipments of sanctioned components produced by these European firms being sent to the country between January 2024 and March 2025. The shipments originated from 178 companies, mostly in China and Hong Kong.

    There is no indication that any of the European manufacturers named in this story violated any legislation or had anything to do with these sales. But these findings illustrate the extent to which the steadily-tightening EU sanctions regime has failed to restrict Russia’s ability to manufacture drones with foreign components.

    In a statement to reporters, David O’Sullivan, the EU’s Chief Sanctions Envoy, wrote that tackling sanctions circumvention is a “key priority” for the European Union and that recent sanctions packages have “added tools” to support member states to do so.

    “We will not ignore cases of our sanctions being systematically circumvented through the jurisdictions of third countries,” he wrote. “This is why, in my role as Sanctions Envoy, I have been actively engaged in outreach with third countries to prevent that their jurisdiction would be used for the sale, supply, transfer or export to Russia of these specific high-risk goods of EU origin.”

    ‘The poor man’s cruise missile’

    According to the Ukrainian Air Force, there were only nine days in all of 2025 when Ukraine was not struck by Geran-2 drones. A total of 34,000 targeted the country over the course of the year, making up more than half of all drone attacks.

    These swarms of drones, often hundreds at once, are a bid to confuse and weaken Ukrainian air defenses, often allowing more destructive missiles to pass through the gaps. The United Nations has documented 682 civilian casualties from long-range weapons in 2025 alone.

    In Ukraine, the Geran-2 is universally known as the “Shahed,” a reference to its Iranian origin. Today, most are produced in a factory in the Russian republic of Tatarstan. Reportedly costing just $20,000 to $50,000 apiece, their affordability, low-altitude flight profile, and self-destructive design has earned them the nickname “the poor man’s cruise missile.”

    “The Shahed is the only drone that can strike at a strategic depth of up to 2,500 kilometers,” says Ivan Kirichevsky, a serving member of the Ukrainian military and a weapons expert at Defense Express, a Kyiv-based think tank. “If we consider literally all known drones of a similar class in the world — meaning long-range kamikaze drones — the Shahed and its derivatives are truly the best.”

    The Geran-2 has also been cited as a strategic concern for the European Union. Officials have pointed to repeated violations of Romanian airspace, and the drone’s success at overwhelming air defenses in Ukraine, as signs of a growing threat and a key driver behind new counter-drone initiatives.

    In an attempt to cripple Russian weapons production, the European Commission banned all export of so-called “dual-use goods” to Russia and Belarus in 2022. This definition covers products, software, or technologies that are designed for commercial applications but may also be used for military purposes. The United Kingdom and Switzerland, which are not EU members, implemented similar restrictions.

    As the war continued, EU sanctions tightened, broadening restrictions and starting to include legal entities in third-country re-export hubs that were suspected of enabling circumvention. The European Commission added a new layer of legal accountability in 2024, requiring EU firms to include a “no re-export to Russia” clause in contracts with foreign clients.

    “Sanctions work,” said Vladyslav Vlasiuk, Ukraine’s Sanctions Commissioner under President Zelenskyy. “Take the example of cruise missiles. Russia would love to scale up production, but they couldn’t. Why couldn’t they? Because they couldn’t get the required Western parts. Why couldn’t they get that? Because of sanctions.”

    “Without Western technologies,” Vlasiuk says, “Russia would not be able to produce the Geran-2.”

    Global Supply Chains

    To see how sanctioned items still end up in Geran-2 drones, reporters traced the path of one of their key components — a GNSS receiver. This device, which is also used to enable GPS systems in consumer devices like smartphones, provides drones with precise positioning, velocity, and time data derived from satellite signals.

    For the Geran-2, this part is manufactured by u-blox, a Swiss firm that specializes in radio modules and positioning products.

    In a statement on its website, the company “strongly condemns” Russia’s invasion of Ukraine and notes that it stopped all sales to Russia, Belarus, and occupied Ukrainian territories immediately after the invasion. It also says that it no longer sells to the countries of the Eurasian Economic Union, which have a free trade agreement with Russia, and has a “strict company policy” not to allow its products to be used in military drones.

    Yet u-blox parts have made their way to Russia from companies around the world.

    U-blox’s statement offers several possible explanations for how its components ended up in Russian drones: “Either these components were purchased before sanctions were in place or excess inventory was sold on by customers to brokers in countries not applying sanctions against Russia and then shipped into Russia; or smuggled into Russia; or they have been de-mounted from an end product and re-integrated into Russian drones.”

    Other western chipmakers emphasize the complexity of global supply chains. 

    Nearly 300 shipments of sanctioned components manufactured by Nexperia, a Dutch semiconductor manufacturer, appear in trade data obtained by reporters. In response to previous reporting, the company released a statement in 2024 condemning Russia’s invasion of Ukraine and stating that it “does not sell to Russia even through distributors.”

    In an email to reporters, a spokesperson for the company, Hannes van Raemdonck, said he “shared the frustration” that “despite all efforts, products still end up where they are not supposed to.”

    The tiny size of the company’s chips mean that “it is not technically feasible to add tracking or identification features,” van Raemdonck wrote. These chips, he explained, are produced in very high volumes of millions of units and are used in everyday consumer products like washing machines, refrigerators, and cars.

    “We cannot determine how components may have reached Russia. Global semiconductor supply chains are complex, and diversion activities can happen without the manufacturer’s knowledge or involvement,” van Raemdonck said. “We work with authorities and NGOs to help stop such activities.”

    The EU’s 20th sanctions package, which is currently being debated in Brussels, represents the next move in the bloc’s strategy to cripple Russia’s war economy.

    “It’s a game of whack-a-mole,” says Alex Prezanti, a UK barrister, specialist in sanctions and anti-corruption, and co-founder of the State Capture Accountability Project. “You can keep chasing corporate entities, but you’re always a step behind, because they can open ten new companies every day.” 

    In any new sanctions package, he said, the EU would hesitate to tighten restrictions on China “because this would be tantamount to a trade war.”

    Prezanti described the requirement for EU companies to include a “no re-export to Russia” clause in their contracts as having “limited impact” because it can easily be circumvented through intermediary resellers, which are “quite often just paper companies.”

    While policymakers battle it out in Brussels, the drones keep raining down on Ukrainian cities. On the night of February 11, a Geran-2 drone struck a residential building in Kharkiv, killing a man and his three young children and injuring his pregnant wife.

    Back in Kyiv, sanctions commissioner Vlasiuk says “the supply chains have been becoming more difficult, like multi-chains, third countries enablers, payment via cryptocurrencies.”

    “We think the manufacturers, plus the big distributors they work with, should be doing more,” he says. “‘Well we sell a lot of these tiny parts, they are dual use, we cannot control thousands of tiny cheap parts’ — that is not a good answer anymore. I mean, it has been almost four years, and that answer does not cut it anymore.”

    Meanwhile, on the Left Bank of the city, Tetiana Kavinova is still freezing in the icy cold of her apartment.

    Her electricity came back for a few days, only for the heating to suddenly stop working again.

    “After power engineers repair damage, Russia just launches a new strike,” she says. “I thought the beginning of the war was terrible. But, now I think that probably it was morally easier than now.”

  • Scotland’s supplies of prescription co-codamol limited until June

    Some health boards have told people using the painkiller to begin reducing their tablets by one a week.

  • Firm assessing Covid vaccine harm replaced after costs spiral to £48m

    The figure paid to Crawford & Company Adjusters is eight times the original estimate for the work.

  • Stop dithering on Brazilian butt lift crackdown, say MPs

    A committee of MPs warns tighter restrictions on high-risk cosmetic procedures are needed immediately.
  • Wayback Machine Director Pushes Back on AI Scraping Fears Driving Archive Blocks

    Wayback Machine Director Pushes Back on AI Scraping Fears Driving Archive Blocks

    As reported by Nieman Lab last month, some major media organizations—including The New York Times, The Guardian, and Reddit—have started blocking the Wayback Machine from archiving their sites over unfounded concerns about AI scraping.

    Last week, tech writer Mike Masnick (Techdirt) explained why this is “a mistake we’re going to regret for generations.”

    Today, Mark Graham, director of the Wayback Machine, has published a response to the Nieman Lab reporting, pushing back on the media organizations’ concerns about the Wayback Machine being a backdoor to AI scraping. Graham writes:

    “These concerns are understandable, but unfounded… like others on the web today, we expend significant time and effort working to prevent such abuse.”

    Read the post to learn how Graham is working to protect the integrity of the Wayback Machine, and why limiting web archiving threatens our shared digital history.

  • EFF to Wisconsin Legislature: VPN Bans Are Still a Terrible Idea

    Wisconsin’s S.B. 130 / A.B. 105 is a spectacularly bad idea.

    It’s an age-verification bill that effectively bans VPN access to certain websites for Wisconsinites and censors lawful speech. We wrote about it last November in our blog “Lawmakers Want to Ban VPNs—And They Have No Idea What They’re Doing,” but since then, the bill has passed the State Assembly and is scheduled for a vote in the State Senate tomorrow.

    In light of this, EFF sent a letter to the entire Wisconsin Legislature urging lawmakers to reject this dangerous bill.

    You can read the full letter here.

    The short version? This bill both requires invasive age verification for websites that host content lawmakers might deem “sexual” and requires that those sites block any user that connects via a Virtual Private Network (VPN). VPNs are a basic cybersecurity tool used by businesses, universities, journalists, veterans, abuse survivors, and ordinary people who simply don’t want to broadcast their location to every website they visit.

    As we lay out in the letter, Wisconsin’s mandate is technically unworkable. Websites cannot reliably determine whether a VPN user is in Wisconsin, a different state, or a different country. So, to avoid liability, websites are faced with an unfortunate choice: either resort to over-blocking IP addresses commonly associated with commercial VPNs, block all Wisconsin users’ access, or mandate nationwide restrictions just to avoid liability. 

    The bill also creates a privacy nightmare. It pushes websites to collect sensitive personal data (e.g. government IDs, financial information, biometric identifiers) just to access lawful speech. At the same time, it broadens the definition of material deemed “harmful to minors” far beyond the narrow categories courts have historically allowed states to regulate. The definition goes far beyond the narrow categories historically recognized by courts (namely, explicit adult sexual materials) and instead sweeps in material that merely describes sex or depicts human anatomy. This approach invites over-censorship, chills lawful speech, and exposes websites to vague and unpredictable enforcement. That combination—mass data collection plus vague, expansive speech restrictions—is a recipe for over-censorship, data breaches, and constitutional overreach.

    If you live in Wisconsin, now is the time for you to contact your State Senator and urge them to vote NO on S.B. 130 / A.B. 105. Tell them protecting young people online should not mean undermining cybersecurity, chilling lawful speech, and forcing residents to hand over their IDs just to browse the internet.

    As we said last time: Our privacy matters. VPNs matter. And politicians who can’t tell the difference between a security tool and a “loophole” shouldn’t be writing laws about the internet.

  • “NHS talking therapies completely changed my life”: NHS launches major campaign to support millions more people with anxiety

    Millions of adults facing debilitating anxiety conditions are missing out on treatment that could help them recover and get back on with their lives the NHS has said, as it launches a major new mental health campaign. New analysis of NHS data shows that over 670,000 people were treated with NHS talking therapy care last […]

  • Illegal skin lightening cream being sold in UK butchers, watchdog warns

    A trade body has warned illegal skin bleaching products are being sold in an increasingly wide range of places.

  • Maintaining what we love all year long

  • Spanish Court Orders ProtonVPN and NordVPN to Block Pirate Football Streams

    Spanish Court Orders ProtonVPN and NordVPN to Block Pirate Football Streams

    VPNs have long been a thorn in the side of LaLiga, as they are used to circumvent the ISP blocking measures it has spent years securing in local courts.

    To address this problem, the Spanish football league has recently gone to court to target the VPNs themselves.

    Today, the Commercial Court No. 1 of Córdoba granted LaLiga and its broadcasting partner Telefónica Audiovisual Digital (TAD) an emergency injunction, targeting NordVPN and ProtonVPN. The VPN companies must block IP addresses linked to illegal streaming of LaLiga matches, making these inaccessible from Spain.

    The orders offer no immediate appeal option, according to El Economista, and there is one significant caveat. Neither VPN company was present in court when the ruling was handed down.

    VPNs Not Heard

    The court orders were issued inaudita parte, which is Latin for “without hearing the other side.” Citing urgency, the Córdoba court did not give NordVPN and ProtonVPN the opportunity to contest the measures before they were granted.

    Without a defense, the court reportedly concluded that both NordVPN and ProtonVPN actively advertise their ability to bypass geo-restrictions, citing match schedules in their marketing materials. The VPNs are therefore seen as active participants in the piracy chain rather than passive conduits, according to local media reports.

    The order is dynamic, which means that LaLiga and Telefónica can update the list of IP addresses the VPNs must block at any time, when new illegal streams are identified. In practice, this would require NordVPN and ProtonVPN to continuously receive and apply new blocklists during live match windows, effectively mirroring the real-time blocking infrastructure already imposed on Spanish ISPs.

    In the past, Spanish blocking measures have been heavily criticized, as they also affected innocent parties that shared IP addresses with pirate services.

    The court acknowledged this risk. It obligated LaLiga and Telefónica to preserve sufficient digital evidence that the IPs they report are genuinely tied to illegal content, a requirement designed to reduce collateral damage. It is not immediately clear how effectively this will prevent overblocking.

    “We Have Not Been Formally Notified”

    ProtonVPN apparently learned about the ruling from news reports, the same way everyone else did.

    “We have become aware of recent reports concerning legal proceedings in Spain that may affect VPN services, including Proton VPN,” the company wrote on X. “At this stage, we were not aware of any proceedings that may have been underway prior to these reports coming to light and have not been formally notified of any proceedings or judgment.”

    The company questions whether the order has any legal validity at all.

    “Spanish courts, like all courts operating under the rule of law, are bound by procedural safeguards that ensure parties are given a fair opportunity to present their case before any binding judgment is rendered,” the VPN company noted.

    proton response

    NordVPN, speaking to Spanish tech outlet Bandaancha, called the approach “unacceptable” and also confirmed that it had not been involved in any legal proceedings in Spain.

    Outside EU Jurisdiction

    While the current orders are a first in Spain, we have seen similar blocking injunctions in France already. In May 2025, the Paris Judicial Court ordered five major VPN providers to block access to more than 200 illegal sports streaming sites, and similar orders followed.

    In France, the orders are still under appeal. What options are available in Spain is unclear, however. The providers can comply, but they might also explore indirect options to challenge the injunctions, including jurisdictional concerns.

    Enforcing the order is far from straightforward. ProtonVPN is operated by Proton AG, a Swiss company based in Geneva. NordVPN is operated by Nord Security, incorporated in Panama. Neither country is an EU member state.

    This jurisdiction issue raises significant questions about enforcement. While the court has ordered the rulings to be translated and sent to the companies’ headquarters, it remains unclear what leverage a Spanish commercial court has over entities in Panama or Switzerland.

    For now, the orders are in effect, and the companies are officially on notice. Whether any football match in Spain will actually become harder to pirate as a result remains to be seen, but LaLiga is pleased with the outcome and called it a landmark victory.

    The original court filing from Juzgado Mercantil No. 1 de Córdoba was not immediately available to us.

    From: TF, for the latest news on copyright battles, piracy and more.