An oversight in testing accounts used for Microsoft’s payment systems revealed itself to one of its software engineers. Unfortunately, before Microsoft caught wind of what’s going on, the now-former engineer swindled his way into over $10 million after selling Xbox Gift Cards for Bitcoin over the course of two years. Though enjoying eternal gratitude from his customers, Volodymyr Kvashuk is now sentenced to nine years in prison and charged with restitution of $8.3 million.
Volodymyr Kvashuk, a now-former software engineer at Microsoft, was testing the company’s e-commerce infrastructure when he stumbled upon a life-changing bug in the system that allowed him to generate gift card codes free of charge. According to IGN‘s report, Volodymyr Kvashuk, having unlimited access to free codes at his fingertips, decided to cash in on his findings instead of reporting the problem to his superiors. So, what started as a minor theft of a handful of codes turned into embezzlement, fraud, and theft on a massive scale. But how?
Microsoft employs engineers to simulate purchases on its stores to check the functionality of its payment systems using specific test accounts. During testing, the system flagged these accounts as test ones, which prevents it from processing any orders of physical goods. So, if an engineer tried to buy a gamepad from Microsoft’s store, the system would recognize his test account but wouldn’t send a controller to the engineer’s address. However, Volodymyr Kvashuk realized that all Xbox Gift Card purchases made through test accounts still deliver a completely valid, working 25-digit code.
A golden opportunity appeared, one that allowed Volodymyr Kvashuk to make massive, life-changing sums of money at Microsoft’s expense. So, he began cycling through his colleagues’ mock profiles to hide his track by using automated software, which was later described in court as “created for one purpose, and one purpose only: to automate embezzlement and allow fraud and theft on a massive scale.” After acquiring a vast amount of valid codes, Volodymyr Kvashuk would sell them in bulk at a relative discount – up to 55% off. In addition, he used “Bitcoin mixing services” to conceal the origins of how he obtained the funds and even filed fake tax forms after transferring approx. $2.8 million in Bitcoin into various accounts under his name.
Well, we wouldn’t be telling this story hadn’t Microsoft caught up with Volodymyr Kvashuk after noticing a sharp spike in gift card transactions and a sudden change in the man’s lifestyle. His salary at Microsoft was far from stingy, but it wasn’t as generous to allow him to purchase a seaplane, a yacht, and multiple lavish houses in different locations. Apparently, cyber-criminals know how to infect your PC through free games but are entirely oblivious to the fact that once you skin a sheep, it gives no more wool. As a result of his greed-inspired mischievous ways, Kvashuk was convicted of 18 federal felonies in February 2020, and sentenced to nine years in prison, likely deported to his home country of Ukraine, with a massive debt of $8.3 million in damages to pay.