Microsoft Engineer Steals $10 Million By Exploiting Payment System To Sell Xbox Gift Cards For Bitcoin

Microsoft

An unusual approach, but clearly effective.

Per Bloomberg, one of Microsoft’s engineers has been sentenced to 9 years in prison, as well as charged a fine for $8.3 million.

One Volodymyr Kvashuk, hired in 2017, found a bug with the payment system in regards to Xbox gift card codes. His job at the time was, of course, working with a team to discover bugs in the payment system for Microsoft’s online store. The tests typically involved using a provided fake credit card to try and trick the system; if he was able to, say, buy a Dell laptop with the phony card, the issue needed to be logged. However, if the system caught the fake, which is obviously how things are supposed to go, nothing would be delivered.

The problem was that he discovered, and didn’t log, an exploit; it was, to his mind, simply too good. Real Xbox gift card codes were dispensed immediately and, more importantly, the store wouldn’t catch the fraud, like it did physical objects meant for shipping. He started small, with codes between $10 and $100. But eventually the whole thing spiraled into millions in fraud. One of the team’s former senior engineers, speaking anonymously to Bloomberg, likened Kvashuk’s scheme to a bank heist:

Sooner or later, someone’s going to try to get away with taking $20. When they don’t get caught, they figure, ‘All I need is six guys to empty out the safe one night when no other employees are around.’

By the time the feds had caught up to Kvashuk two years later, he’d stolen over 152,000 codes, worth around $10 million, and had not only been living off of the ill-gotten funds generated from the scheme, but had moved to a lakeside home, with plans to buy a ski chalet, yacht, seaplane, and more.

How? Well, he sold the codes off on cryptocurrency marketplaces like Paxful to sell codes in bulk, then laundered the money through sites like ChipMixer. As time went on, he got better at hiding his tracks; he used the mock accounts of other members of the team, and even wrote a program to automate the whole process. A program which prosecutors describe as “created for one purpose, and one purpose only: to automate embezzlement and allow fraud and theft on a massive scale.”

READ:  That Square Enix ARG was for Deus Ex: Mankind

While Kvashuk’s salary was hardly what anyone would deem small, it wasn’t lakeside home, ski chalet, yacht, seaplane, and multiple vacation home large. And that yearning for luxuries would eventually be his undoing.

Microsoft noticed the large number of sales in gift cards on their site. And that dovetails nicely with federal agents raiding his lakefront home in July 2019.

The judge was likely not terribly amused when Kvashuk tried to defend himself by claiming he’d done nothing illegal, because the codes taken didn’t count as “real money”. Moreover, I’m sure the prosecution was also not amused when he argued, in court, that the whole thing was some sort of experiment to increase store spending.

It clearly didn’t make anyone happy, considering he’s been sentenced to 9 years in prison, and fined $8.3 million. As a matter of fact, it’s extra bad for Kvashuk; he’ll likely be deported back to the Ukraine after his prison stay. Doubly so, as he’d taken part in the protests that ousted the Ukraine’s Russian-backed president in 2014.

Source: PC Gamer

About Author

B. Simmons

Based out of Glendale California, Bryan is a GAMbIT's resident gaming contributor. Specializing in PC and portable gaming, you can find Bryan on his 3DS playing Monster Hunter or at one of the various conventions throughout the state.

Learn More →