Microsoft Engineer Stole $10 Million By Selling Xbox Gift Cards For Bitcoin

An anonymous reader quotes a report from PC Gamer: An oversight in accounts used to test Microsoft's payment systems let one engineer swindle his way into over $10 million after selling Xbox Gift Cards for Bitcoin over two years, a new report from Bloomberg revealed this week. In order to make sure its payment systems work, Microsoft employs engineers to "simulate" purchases on its stores. But soon after joining the company in 2017, Volodymyr Kvashuk discovered that there was a flaw in the accounts used to test purchases. See, these simulated accounts are usually flagged as such by the system, and won't send you physical goods if you tried to buy, say, a new gamepad from its site. But if you tested a purchase of Xbox Gift Cards, you'd still receive a completely valid 25-digit code. Kvashuk could've easily reported this to his bosses. But with unlimited free codes at his fingertips, he chose a different option instead.

At first, Kvashuk generated himself a handful of codes -- a cheeky $5 or $10 here or there. But there was the opportunity to make massive, life-changing sums of money off this exploit. He began cycling through mock profiles belonging to his colleagues to hide his tracks, automating the process with a bespoke piece of software prosecutors would later describe as "created for one purpose, and one purpose only: to automate embezzlement and allow fraud and theft on a massive scale." After acquiring these codes, Kvashuk would head to crypto marketplaces like Paxful to find prospective sellers. He'd sell them in bulk at a relative discount, which buyers would then go on to sell to folks who wanted to use the codes. Money laundering sites like ChipMixer would let him hide his trail, and the proceeds went towards facilitating an increasingly lavish lifestyle. [...] Microsoft was eventually clued in to Kvashuk's antics after noticing a sharp spike in gift card transactions, with federal agents eventually raiding his home in July 2019. In court, Kvashuk tried to argue that the mass theft was simply an experiment to increase store spending. Obviously, it didn't fly. Kvashuk was sentenced to 9 years in prison, likely deported back to his home country of Ukraine, and will be charged restitution of $8.3 million.

Prison, then deportation ... repayment when?

[fahrbot-bot]

From TFA:

The judge and jury found his defense ridiculous and declared him guilty on all counts. He’s likely to be deported back to Ukraine after serving time in prison until March 2027 and will have to make restitution of $8.3 million.

I wonder (a) how much he can pay off while in US prison and (b) how the US is going to force him to make restitution when he's back in Ukraine.

Re:

[gregersonke]

Considering he likely earned about 20 cents on the dollar from the theft of those gift cards. He likely will never be able to repay what he took. If he never spent the bitcoin until it tookoff he might have had a chance at restitution.

Re:

[ebvwfbw]

I wonder (a) how much he can pay off while in US prison and (b) how the US is going to force him to make restitution when he's back in Ukraine.

Don't worry, he has a new plan in mind. They usually do.

Big mistake

[phantomfive]

$5 or $10? Big mistake. He should have only taken fractions of pennies from each transaction.

Re:

[Joe_Dragon]

just kick someones ass the 1st day and you be fine.

Re:

[vivian]

Yeah but then you have to worry about the computer becoming sentient and trying to kill superman.

How many times

[fermion]

This is not the first time MS has been taken. How can they sell secure products if their internal security is so lax?

Re:

[michaelmalak]

Not the first time it's been on Slashdot https://yro.slashdot.org/story/20/11/10/2252248/microsoft-engineer-gets-nine-years-for-stealing-10-million-from-microsoft [slashdot.org]

You can't really blame Microsoft for this

[Snotnose]

Every company has a level of trust with it's employees. Over the past 40+ years I've probably been in positions to abuse my employer's trust for personal gain, if my brain was wired that way. But my brain is wired to be honest and not look for loopholes.

Which makes me a lousy pentester

But, surprisingly, a pretty good QA guy. I tend to not read instructions, rather figure things out for myself. Which it turns out makes me really good at breaking stuff.

Re:

[gravewax]

yep, it is the problem. At some point you have to trust the people doing the work. Been on many projects where such opportunities are available and like you I would not abuse it. However I have seen multiple people sacked and even arrested on projects for taking the opportunity when presented.

Re:

[gweihir]

Indeed. There is no way around that. You always have to trust your employees to some degree. That is a primary reason why you should treat them well. Those that overdo it (usually in the 1...10M range or above) will likely be found out, but those that know hen to stop will often get away with it.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:

[gravewax]

After a while they just think if they have not caught me yet they never will. Probably also got addicted to living on a much higher income.

Lots of people stop

[aberglas]

They do not get caught. And so you never hear about them.

Re:

[whoever57]

Survivor bias in reverse?

Re:

[ghoul]

They want to get caught. Deep down they feel guilty so they self sabotage

Re:

[ArchieBunker]

That little thing known as greed.

Re:

[thegarbz]

People's perception of risk reduces the more they suffer no consequences from their action.

I may get caught, I'll only do a bit.
Ooh that worked, I'll do a bit more.
Hey I don't think they are looking at this at all, let me try something bigger.
Fast forward a few years.
I'M UNSTOPPABLE. *ring* Yes this is he! ... Police? Where? At my door? But WHY?

Re:

[tlhIngan]

I don't understand why so many people keep going until they get caught. I never seem to hear about people who get caught some time after they stop.

To be honest, most people intend to stop. They test it once - they do a $20 gift card and sell it for cheap. They may do it a few times now and again to see if it's fixed.

But then what started as maybe a coffee a week, they rationalize well, maybe instead of a coffee a week, surely they may not notice if I treat myself to a coffee a day. Then maybe something else

Re:

[LostMyAccount]

"When should I stop?" and "how much money is enough?" have the same hard-to-define quality.

The problem also isn't so much "when should I stop?", it's that when people discover these loopholes, especially with recurring thefts, they don't step back and develop a long-term plan for all those parameters -- how much or how often can I do this? How can I obscure my take? How can I gain plausible deniability?

It just becomes a gravy train. Even in the local paper, once every couple of months or so there's some

Re: Why not stop?

[OrangeTide]

Well, Bitcoin is "anonymous" and it is impossible to get caught ... oops!

Re:

[ayesnymous]

Maybe you never hear about them because they stopped and therefore never got to the point where alarms were raised?

Potential

[Anonymous Coward]

Engineer? This guy's management material.

Windows?

[PPH]

a bespoke piece of software prosecutors would later describe as "created for one purpose, and one purpose only: to automate embezzlement and allow fraud and theft on a massive scale."

Dupes are now a year apart

[MikeDataLink]

https://yro.slashdot.org/story... [slashdot.org]

Must be new math?

[oldgraybeard]

"Microsoft Engineer Stole $10 Million" and "and will be charged restitution of $8.3 million"

Re:

[ortholattice]

And in the meantime, his bitcoins may now be worth $100 million. After his restitution and prison term, the remaining $91.7 million will go quite far in Ukraine.

Re:

[Ed Tice]

That would be true except he funded an increasingly lavish lifestyle. Had he actually saved the BTC, he might have been able to negotiate full restitution in exchange for avoiding jail time and still had some left over. Especially if he had multiple wallets.

Re:

[AnonCowardSince1997]

Maybe they were smart enough to lose some of the Bitcoin keys in a boating accident?

Re:

[Anonymous Coward]

The actual mistake was thinking that gift cards and Bitcoin are worth anything.

Re:

[Bert64]

He sold cards with a face value of $10m, but how much did he actually sell them for?
People don't pay full price for goods obtained from questionable sources. If you're going to pay full price, no reason not to go direct to an official source.
He will have sold a $10 gift card for considerably less than $10.

Re:

[bill_mcgonigle]

> People don't pay full price for goods obtained from questionable sources.

My guess is Microsoft then paid out real money to the software authors on the XBox platform, and some accountant noticed they were paying out more than they took in from customers. When it gets near $10M people start to look more closely.

$10M-$8.3M=$1,7M

[ttspttsp]

for 9 years of jail? ~$180K/year. Not bad.

Re:

[Ed Tice]

Plus he didn't have to forfeit his salary from the time he worked at Microsoft. Too bad he didn't invest wisely.

Re:

[ttspttsp]

and tax free presumably

Are we running a story on this every 6 months?

[thegarbz]

https://yro.slashdot.org/story... [slashdot.org]
https://yro.slashdot.org/story... [slashdot.org]
https://yro.slashdot.org/story... [slashdot.org]

Deportation nullifies punishment

[couchslug]

Best to keep and crush him as an example.