Malware researcher Marcus Hutchins has pleaded guilty to two counts of creating and selling a powerful banking malware, ending a long and protracted battle with U.S. prosecutors.

Hutchins, a British national who goes by the online handle MalwareTech, was arrested in August 2017 as he was due to fly back to the U.K. following the Def Con security conference in Las Vegas. Prosecutors charged Hutchins with his involvement with creating the Kronos banking malware, dating back to 2014. He was later freed on bail.

A plea agreement was filed with the Eastern District of Wisconsin, where the case was being heard on Friday. His trial was set to begin later this year.

Hutchins agreed to plead guilty to distributing Kronos, a trojan that can be used to steal passwords and credentials from banking websites. In recent years, the trojan has continued to spread. He also agreed to plead guilty to a second count of conspiracy.

Hutchins faces up to 10 years in prison. Prosecutors have dropped the remaining charges.

In a brief statement on his website, Hutchins said: “I regret these actions and accept full responsibility for my mistakes.”

“Having grown up, I’ve since been using the same skills that I misused several years ago for constructive purposes,” he said. “I will continue to devote my time to keeping people safe from malware attacks.”

His attorney Marcia Hoffman did not immediately return a request for comment.

Hutchins rose to prominence after he stopped the spread of the WannaCry ransomware attack in May 2017, months before his arrest. The attack used powerful hacking tools developed by the National Security Agency, which were later leaked, to backdoor thousands of Windows computers and install ransomware. The attack was later attributed to hackers backed by North Korea, knocking U.K. hospitals offline and crippling major companies around the world.

By registering a domain name found in the malware’s code, Hutchins stemmed the spread of the infection. He was hailed a hero for stopping the attack.

Prior to his release and after, Hutchins gained further praise and respect from the security community for his contributions to the malware-reversing field, and demonstrating his findings so others can learn from his findings.

Justice Department spokesperson Nicole Navas declined to comment.

Another Silicon Valley company is settling with the SEC: the online lending company Prosper, which the SEC had accused of “miscalculating and materially overstating annualized net returns to retail and other investors.” Prosper has agreed to pay $3 million as part of the settlement, in which it has neither admitted nor denied the agency’s allegations.

According to a new release from the SEC: “For almost two years, Prosper told tens of thousands of investors that their returns were higher than they actually were despite warning signs that should have alerted Prosper that it was miscalculating those returns.” The 14-year-old, San Francisco-based company “excluded certain non-performing charged off loans from its calculation of annualized net returns” that it communicated to investors from around July 2015 through May 2017.

The mistake owed to a coding error that excluded the defaulted loans from its computations, the SEC said, causing Prosper to overstate its annualized net returns to more than 30,000 investors on individual account pages on its site and in emails soliciting additional investments from investors.

The SEC added that “many” investors decided to make additional investments based on the overstated annualized net returns and the “Prosper failed to identify and correct the error despite [its] knowledge that it no longer understood how annualized net returns were calculated and despite investor complaints about the calculation.”

The settlement is the second for the SEC in two week’s time. On April 2, the SEC announced that the founder and former chief executive of Jumio has agree to pay the agency $17.4 million to settle charges that he defrauded investors in the mobile payments and identity verification start-up before it went bankrupt.

A hacker stole thousands of documents from Mexico’s embassy in Guatemala and posted them online.

The hacker, who goes by the online handle @0x55Taylor, tweeted a link to the data earlier this week. The data is no longer available for download after the cloud host pulled the data offline, but the hacker shared the document dump with TechCrunch to verify its contents.

The hacker told TechCrunch in a message: “A vulnerable server in Guatemala related to the Mexican embassy was compromised and I downloaded all the documents and databases.” He said he contacted Mexican officials but he was ignored.

In previous correspondence with the hacker, he said he tries to report problems and has received bounty payouts for his discoveries. “But when I don’t get a reply, then it’s going public,” he said.

More than 4,800 documents were stolen, most of which related to the inner workings of the Mexican embassy in the Guatemalan capital, including its consular activities, such as recognizing births and deaths, dealing with Mexican citizens who have been incarcerated or jailed and the issuing of travel documents.

We found more than a thousand highly sensitive identity documents of primarily Mexican citizens and diplomats — including scans of passports, visas, birth certificates and more — but also some Guatemalan citizens.

Several documents contained scans of the front and back of payment cards.

The stolen data also included dozens of letters granting diplomatic rights, privileges and immunities to embassy staff. Diplomatic rights grant employees of the foreign embassy certain protections from their host country’s government and law enforcement. Diplomatic immunity, for example, allows staff to be granted safe passage in and out of the country and are generally safe from prosecution. Other documents seen by TechCrunch were signed off personally by Mexico’s ambassador to Guatemala, Luis Manuel López Moreno, and were instructed to be transported by diplomatic bag, which foreign missions use to transport official correspondence between countries that cannot be searched by police or customs.

Many of the files were marked “confidential,” though it’s not known if the hacked data included anything considered by the Mexican government to be classified or secret. Other files were internal administrative documents relating to staff medical expenses, vacation and time off and vehicle certifications.

When reached Friday, Gerado Izzo, a spokesperson for the consul general in New York, said it is taking the matter “very seriously” but did not immediately have comment.

Friday is a national holiday in Mexico.

Related stories:

• Tufts expelled a student for grade hacking. She claims innocence
• Hackers publish personal data on thousands of US police officers and federal agents
• Chipotle customers are saying their accounts have been hacked
• Massive mortgage and loan data leak gets worse as original documents also exposed
• Two hackers behind 2016 Uber data breach have been indicted for another hack
• Asus was warned of hacking risks months ago, thanks to leaky passwords

Psst! We’re looking at you, early-stage startup founders. How would you like your startup to be a media and investor darling at Disrupt San Francisco 2019? If you think your startup has what it takes to make the cut, apply to be a TC Top Pick. The application process is super easy, free and potentially — dare we say — life changing. Yup, we dare.

Our TC Top Picks program is competitive and highly selective. TechCrunch editors are a notoriously picky bunch, and they’ll review every application thoroughly before choosing up to five top startups in each of these categories: AI/Machine Learning, Biotech/Healthtech, Blockchain, Fintech, Mobility, Privacy/Security, Retail/E-commerce, Robotics/IoT/Hardware, SaaS and Social Impact & Education.

Every startup selected as a TC Top Pick receives a free Startup Alley Exhibition package, invitations to special events at Disrupt SF — like the investor reception — and prime real estate in the Startup Alley exhibition hall.

It’s one thing for us to tell you that being a TC Top Pick can change your startup’s trajectory, but it’s more effective to hear first-hand experiences from previous Top Picks — like this one.

Israeli-based CAARESYS earned a TC Top Pick designation in the mobility category at Disrupt SF 2018. The startup’s vehicle monitoring system uses low-emission radio frequency radar and contactless biometrics to track the body location and physical state — respiration rate, heart rate and heart-rate variability — of each passenger in the car.

According to Konstantin Berezin, the company’s COO and co-founder, the connections they made as a TC Top Pick at Disrupt SF resulted in projects with three OEM and Tier 1 companies. The company is currently in the integration phase with auto manufacturers to get the systems into cars by 2021.

“We also followed up with a potential customer we met at Disrupt and, as a result of that meeting, we signed a memorandum of understanding to partner on a mutual project,” said Berezin. “I can’t disclose the name just yet, but we’re very excited. Being a TC Top Pick really put us on the map.”

Another perk that comes with being a TC Top Pick is the interview with a TechCrunch editor on the Showcase stage in Startup Alley. That video interview, which we promote across our social media platforms, provides valuable media exposure long after the conference ends.

“The interview was terrific, and TechCrunch did a very professional job shooting and editing the video,” said Berezin. “Sending our video to current and potential customers gives us prestige and a certain cool factor. We love it!”

Of course, there’s more than one way to grab the spotlight at Disrupt SF. While you’re applying to be a TC Top Pick, why not apply to compete in Startup Battlefield, too? Our epic startup pitch competition carries a $100,000 equity-free cash prize. Yowza!

Disrupt San Francisco 2019 takes place October 2-4. Take a life-changing step to get the most out of your time at Disrupt and apply to the TC Top Pick program today.

Is your company interested in sponsoring or exhibiting at Disrupt SF? Contact our sponsorship sales team by filling out this form.

Alphabet’s subsidiary focused on urban tech development, Sidewalk Labs, is now trying to reinvent signage for smart cities. These signs aren’t to direct the flow of traffic, or to point the way to urban landmarks — they’re designed to let citizens know when they’re being monitored.

The proposal is part of a push by the company to acclimate people to the technologies that it’s deploying in cities like New York and Toronto.

Globally, competition for contracts to deploy sensors, data management, and predictive technologies in cities can run into the tens of millions, if not billions of dollars, and Sidewalk Labs knows this better than most. Because its projects are among the most ambitious deployments of sensing and networking technologies for smart cities, the company has also faced the most public criticism.

So at least partially in an attempt to blunt attacks from critics, the company is proposing to make its surveillance and monitoring efforts more transparent.

“Digital technology is all around us, but often invisible. Consider: on any one urban excursion (your commute, perhaps), you could encounter CCTVs, traffic cameras, transit card readers, bike lane counters, Wi-Fi access points, occupancy sensors that open doors — potentially all on the same block.” writes Jacqueline Lu, who’s title is “assistant director of the public realm” at Sidewalk Labs.

Lu notes that while the technologies can be useful, there’s little transparency around the data these technologies are collecting, who the data is being collected by, and what the data is collected for.

Cities like Boston and London already indicate when technology is being used in the urban environment, but Sidewalk Labs convened a group of designers and urban planners to come up with a system for signage that would make the technology being used even more public for citizens going about their day.

Back in 2013, the U.S. Federal Trade Commission called for the development of these types of indicators when it issued a call for mobile privacy disclosures. But that seems to have resulted in companies just drafting reams of jargon-filled disclosures that obscured more than they revealed.

At Sidewalk, the goal is transparency, say the authors of the company’s suggested plan.

“We strongly believe that people should know how and why data is being collected and used in the public realm, and we also believe that design and technology can meaningfully facilitate this understanding. For these reasons, we embarked on a collaborative project to imagine what digital transparency in the public realm could be like,” writes Lu and her co-authors Principal Designer Patrick Keenan and Legal Associate Chelsey Colbert.

As an example, Sidewalk showed off potential designs for signage that would alert people to the presence of the company’s Numina technology.

That tech monitors traffic patterns by recording, anonymizing and transmitting data from sensors using digital recording and algorithmically enhanced software to track movement in an area. These sensors are installed on light poles and transmit data wirelessly.

At the very least, the technology can’t be any worse than the innocuously intended cameras that are monitoring publicly spaces already (and can be turned into surveillance tools easily).

The hexagonal designs indicate the purpose of the technology, the company deploying it, the reason for its use, whether or not the tech is collecting sensitive information and a QR code that can be scanned to find out more information.

The issue is with experiments like these in the public sphere is that there’s no easy way to opt out of them. Sidewalk Lab’s Toronto project is both an astounding feat of design and the apotheosis of surveillance capitalism.

Once these decisions are made to cede public space to the private sector, or sacrifice privacy for security (or simply better information about a location for the sake of convenience) they’re somewhat difficult to unwind. As with most of the salient issues with technology today, it’s about unintended consequences.

Information about a technology’s deployment isn’t enough if the relevant parties haven’t thought through the ramifications of that technology’s use.

Netflix is testing a new feature that can help you start streaming when you don’t know what to watch. The company confirmed it’s testing a shuffle mode of sorts, that will allow you to easily click on a popular show to start playing a random episode. The idea with the feature is to offer an experience that’s more like traditional TV — where you could just turn the set on, and there would be something to watch.

With today’s streaming services, that sort of seamless experience is more difficult to achieve. Instead, viewers now have to first select a streaming app, then scroll through endless menus and recommendations before they can settle on their next title.

The new shuffle feature, instead, offers something closer to the experience of turning on cable TV, when there was always some classic favorite show playing in syndication.

The shows being tested with the new feature appear to be those that people choose when they don’t know what else to watch, like The Office, New Girl, Our Planet, Arrested Development and others.

The Office, in particular, has a reputation for being a go-to pick for when you’re not in the middle of some other binge fest.

The TV shows appear in a new row, titled “Play a Random Episode.” To get started, you’d click any TV show’s thumbnail, and a random episode from the series then starts playing.

The thumbnails themselves are also adorned with a red “shuffle” icon to indicate they’ll play a random episode.

(Above: Seems someone had the right idea)

The new feature was first spotted by the folks at Android Police, who saw the option appear in the Android version of Netflix’s app.

Netflix confirmed to TechCrunch the shuffle feature is something it’s considering, but hasn’t yet committed to rolling out.

“We are testing the ability for members to play a random episode from different TV series on the Android mobile app. These tests typically vary in length of time and by region, and may not become permanent,” a Netflix spokesperson said.

Netflix for some time has been focused on ways to get users streaming its content faster, after they log in. That’s where it’s decision to run autoplaying trailers comes in, for example, or why it now features those Stories-inspired previews; or why it tested promoting its shows right on the login screen.

Image credit: Android Police

The Daily Crunch is TechCrunch’s roundup of our biggest and most important stories. If you’d like to get this delivered to your inbox every day at around 9am Pacific, you can subscribe here.

1. Zoom pops 81 percent in Nasdaq debut

Thursday was a big day for tech IPOs, with Zoom opening trading at $65 a share. The company’s initial public offering gave it a fully diluted market cap of roughly $16 billion.

Meanwhile, Pinterest debuted on the New York Stock Exchange at $23.75 per share.

2. Facebook now says its password leak affected ‘millions’ of Instagram users

“We discovered additional logs of Instagram passwords being stored in a readable format,” the company said. “We now estimate that this issue impacted millions of Instagram users. We will be notifying these users as we did the others.”

3. Mueller report sheds new light on how the Russians hacked the DNC and the Clinton campaign

At one point, the Russians used servers located in the U.S. to carry out the massive data exfiltration effort, the report says.

4. Instagram hides Like counts in leaked design prototype

Hiding Like counts could reduce the herd mentality, where people just Like what’s already got tons of Likes. It could also reduce the sense of competition.

5. The consumer version of BBM is shutting down on May 31

While the consumer version of BlackBerry Messenger is shutting down, the service will still exist. In fact, BlackBerry announced a plan to open its enterprise version to general consumers.

6. Amazon launches ad-supported music service to Echo owners

Until this week, Echo owners who wanted to stream music from Amazon could either pay for an annual Prime membership in order to access Prime Music, or they could pay $3.99 per month to stream from Amazon Music Unlimited.

7. The different playbooks of D2C brands

Venture capital firms have invested over $4 billion in D2C brands since 2012, with 2018 alone accounting for over $1 billion. How are these D2C brands going to evolve and how could they sustain as businesses? (Extra Crunch membership required.)

Ramotion is a remote branding and product design agency that has worked with Bay Area tech startups since 2014. While they typically do branding for funded, fast-growing startups, Ramotion has helped companies ranging from Bitmoji’s early brand identity to Mozilla’s rebrand. We spoke to Ramotion’s CEO Denis Pakhaliuk about their iterative approach, his favorite branding projects, and more.  

---

Ramotion’s branding philosophy:

“We are a big fan of starting small: designing a small package, releasing it, and then iterating on top of that. So, founders need to be focused on what’s really necessary right now for their next round of investment or product releases.”

On common founder mistakes:

“I think some founders think they need everything, but they actually need an MVP and product design. The same goes for brand identity. They need to have some key elements like colors, typeface, and the logo. There is no need to do everything in the beginning, because the logo and brand identity becomes meaningful after it’s used. It’ll eventually improve.”

Below, you’ll find the rest of the founder reviews, the full interview, and more details like pricing and fee structures. This profile is part of our ongoing series covering startup brand designers and agencies with whom founders love to work, based on this survey and our own research. The survey is open indefinitely, so please fill it out if you haven’t already.

---

Interview with Ramotion’s CEO Denis Pakhaliuk

Yvonne Leow: Can you tell me about your journey and how you came to create Ramotion?

Denis Pakhaliuk: Yea, I started as a CG designer more than 10 years ago. I was doing computer graphics, CG modeling, digitalization of architectural design and automotive design. I was initially very focused on German cars and industrial design. Once iPhone 3G came out, I switched to doing UI design for mobile apps, which was a very hot topic at the time.

From that point I met a guy who just said, “Hey, I’m thinking of building an agency,” and so we decided to do it together. It started with a few people and now we have up to 30. We focus on different products, from small companies to more established brands, like Salesforce, among others. So yeah, it’s been a fun journey.

Yvonne Leow: At what point did Ramotion start working with startups?

Editors Note: This article is part of a series that explores the world of growth marketing for founders. If you’ve worked with an amazing growth marketing agency, nominate them to be featured in our shortlist of top growth marketing agencies in tech.

Startups often set themselves back a year by hiring the wrong growth marketer.

This post shares a framework my marketing agency uses to source and vet high-potential growth candidates.

With it, early-stage startups can identify and attract a great first growth hire.

It’ll also help you avoid unintentionally hiring candidates who lack broad competency. Some marketers master 1-2 channels, but aren’t experts at much else. When hiring your first growth marketer, you should aim for a generalist.

This post is split into two halves:

1. How I find growth candidates.
2. How I identify which candidates are legitimately talented.

Great marketers are often founders

One interesting way to find great marketers is to look for great potential founders.

Let me explain. Privately, most great marketers admit that their motive for getting hired was to gain a couple years’ experience they could use to start their own company.

Don’t let that scare you. Leverage it: You can sidestep the competitive landscape for marketing talent by recruiting past founders whose startups have recently failed.

Why do this? Because great founders and great growth marketers are often one and the same. They’re multi-disciplinary executors, they take ownership, and they’re passionate about product.

You see, a marketing role with sufficient autonomy mimics the role of a founder: In both, you hustle to acquire users and optimize your product to retain them. You’re working across growth, brand, product, and data.

As a result, struggling founders wanting a break from the startup rollercoaster often find transitioning to a growth marketing role to be a natural segue.

How do we find these high-potential candidates?

Finding founders

To find past founders, you could theoretically monitor the alumni lists of incubators like Y Combinator and Techstars to see which companies never succeeded. Then you can reach out to their first-time founders.

You can also identify future founders: Browse Product Hunt and Indie Hackers for old projects that showed great marketing skill but didn’t succeed.

There are thousands of promising founders who’ve left a mark on the web. Their failure is not necessarily indicative of incompetence. My agency’s co-founders and directors, including myself, all failed at founding past companies.

How do I attract candidates?

To get potential founders interested in the day-to-day of your marketing role, offer them both breadth and autonomy:

• Let them be involved in many things.
• Let them be fully in charge of a few things.

Remember, recreate the experience of being a founder.

Further, vet their enthusiasm for your product, market, and its product-channel fit:

• Product and market: Do their interests line up with how your product impacts its users? For example, do they care more about connecting people through social networks, or about solving productivity problems through SaaS? And which does your product line up with?
• Product-channel fit: Are they excited to run the acquisition channels that typically succeed in your market?

The latter is a little-understood but critically important requirement: Hire marketers who are interested in the channels your company actually needs.

Let’s illustrate this with a comparison between two hypothetical companies:

1. A B2B enterprise SaaS app.
2. An e-commerce company that sells mattresses.

Broadly speaking, the enterprise app will most likely succeed through the following customer acquisition channels: sales, offline networking, Facebook desktop ads, and Google Search.

In contrast, the e-commerce company will most likely succeed through Instagram ads, Facebook mobile ads, Pinterest ads, and Google Shopping ads.

We can narrow even further: In practice, most companies only get one or two of their potential channels to work profitably and at scale.

Meaning, most companies have to develop deep expertise in just a couple channels.

There are enterprise marketers who can run cold outreach campaigns on autopilot. But, many have neither the expertise nor the interest to run, say, Pinterest ads. So if you’ve determined Pinterest is a high-leverage ad channel for your business, you’d be mistaken to assume that an enterprise marketer’s cold outreach skills seamlessly translate to Pinterest ads.

Some channels take a year or longer to master. And mastering one channel doesn’t necessarily make you any better at the next. Pinterest, for example, relies on creative design. Cold email outreach relies on copywriting and account-based marketing.

(How do you identify which ad channels are most likely to work for your company? Read my Extra Crunch article for a breakdown.)

To summarize: To attract the right marketers, identify those who are interested in not only your product but also how your product is sold.

Other approaches

The founder-first approach I’ve shared is just one of many ways my agency recruits great marketers. The point is to remind you that great candidates are sometimes a small career pivot away from being your perfect hire. You don’t have to look in the typical places when your budget is tight and you want to hire someone with high, senior potential.

This is especially relevant for early-stage, bootstrapping startups.

If you have the foresight to recognize these high-potential candidates, you can hopefully hire both better and cheaper. Plus, you empower someone to level up their career.

Speaking of which, here are other ways to hire talent whose potential hasn’t been fully realized:

• Find deep specialists (e.g. Facebook Ads experts) and offer them an opportunity to learn complementary skills with a more open-ended, strategic role. (You can help train them with my growth guide.)
• Poach experienced junior marketers from a company in your space by offering senior roles.
• Hire candidates from top growth marketing schools.

Part II: Vetting growth marketers

If you don’t yet have a growth candidate to vet, you can stop reading here. Bookmark this and return when you do!

Now that you have a candidate, how do you assess whether they’re legitimately talented?

At Bell Curve, we ask our most promising leads to incrementally complete three projects:

• Create Facebook and Instagram ads to send traffic to our site. This showcases their low-level, tactical skills.
• Walk us through a methodology for optimizing our site’s conversion rate. This showcases their process-driven approach to generating growth ideas. Process is everything.
• Ideate and prioritize customer acquisition strategies for our company. This showcases their ability to prioritize high-leverage projects and see the big picture.

We allow a week to complete these projects. And we pay them market wage.

Here’s what we’re looking for when we assess their work.

Level 1: Basics

First — putting their work aside — we assess the dynamics of working with them. Are they:

• Competent: Can they follow instructions and understand nuance?
• Reliable: Will they hit deadlines without excuses?
• Communicative: Will they proactively clarify unclear things?
• Kind: Do they have social skills?

If they follow our instructions and do a decent job, they’re competent. If they hit our deadline, they’re probably reliable. If they ask good questions, they’re communicative.

And if we like talking to them, they’re kind.

Level 2: Capabilities

A level higher, we use these projects to assess their ability to contribute to the company:

• Do they have a process for generating and prioritizing good ideas? 
  • Did their process result in multiple worthwhile ad and landing page ideas? We’re assessing their process more so than their output. A great process leads to generating quality ideas forever.
  • Resources are always limited. One of the most important jobs of a growth marketer is to ensure growth resources are focused on the right opportunities. I’m looking for a candidate that has a process for identifying, evaluating, and prioritizing growth opportunities.
• Can they execute on those ideas? 
  • Did they create ads and propose A/B tests thoughtfully? Did they identify the most compelling value propositions, write copy enticingly, and target audiences that make sense?
  • Have they achieved mastery of 1-2 acquisition channels (ideally, the channels your company is dependent on to scale)? I don’t expect anyone to be an expert in all channels, but deep knowledge of at least a couple channels is key for an early-stage startup making their first growth hire.

If you don’t have the in-house expertise to assess their growth skills, you can pay an experienced marketer to assess their work. It’ll cost you a couple hundred bucks, and give you peace of mind. Look on Upwork for someone, or ask a marketer at a friend’s company.

Recap

• If you’re an early-stage company with a tight budget, there are creative ways to source high-potential growth talent.
• Assess that talent on their product fit and market fit for your company. Do they actually want to work on the channels needed for your business to succeed?
• Give them a weeklong sample project. Assess their ability to generate ideas and prioritize them.

Reese Witherspoon’s media company Hello Sunshine already has its hands in movies, television, Apple TV+ shows, podcasts, Audible originals, books and more. Now it’s weighing an entry into the subscription box business to further capitalize on its brand and its appeal to women.

The subscription boxes under consideration would operate out of Reese’s Book Club — the curated selection of book recommendations whose focus is on titles with strong female leads. The club, which some believe may one day rival Oprah’s, is already capable of driving sales at Amazon and elsewhere. It’s also now a feeder into other Hello Sunshine projects — like HBO’s “Big Little Lies,” Hulu’s upcoming adaptation of “Little Fires Everywhere” and others.

Now the company is gathering feedback as to how to turn the book club’s online brand — which began with Witherspoon posting books to Instagram — into a revenue-generating business of its own.

Hello Sunshine members recently received a survey asking for their feedback about Hello Sunshine and Reese’s Book Club. But the questions it posed were almost entirely focused on gathering information about what members would want to see in a subscription box.

For example, would they prefer items that are seasonal, themed to the book club’s current pick or those that  are related to reading — like book lamps and bookmarks? Or would members be open to anything Reese just likes herself, for whatever reason?

To some extent, Hello Sunshine has already begun the process of curating other non-book items through the site’s online shop, where it features things like totes, mugs, pins, hats, notebooks, makeup bags and even jewelry. These could easily be added into subscription boxes, if the time comes.

The survey also asked for feedback about how the books would be paired with the other items. Members were asked if they would prefer the monthly book club selection or themed boxes like “favorite books,” “classics” or “summer reads,” for example.

Finally, the survey asked about how customers would like to pay — monthly, quarterly, annually and so on.

While the larger subscription box craze may have passed, many that have a more female-friendly focus are still surviving — like Birchbox and Ipsy’s makeup boxes, jewelry focused Rocksbox, FabFitFun and others. And some are even thriving — like Stitch Fix’s subscription-based clothing boxes.

Hello Sunshine’s potential in this space would instead come from its growing fan base, rather than something it has to start from scratch. Today the book club has 1 million Instagram followers, up from 390,000 a year ago. That’s in addition to the 471,000 who follow Hello Sunshine and the 17.3 million who follow Witherspoon.

Hello Sunshine did not return requests for comment.