The way he gathered the funds doesn’t even seem that harmful, but the result and the punishment do show strength.
Bloomberg reports about how Volodymyr Kvashuk has to spend nine years and prison, plus he was charged restitution of 8.3 million dollars, as he sold Xbox gift cards for bitcoin. How did he even manage this? The answer is simple: the engineer got into the system easily.
Microsoft employs engineers to „simulate” purchases in its stores. This is the Redmond-based company’s method to ensure that their payment systems work. However, Kvashuk, who joined Microsoft in 2017, soon noticed a flaw in the purchase-testing accounts.
In short, they do not allow actual purchases. For instance, you can’t buy an Xbox One controller with them. But, an oversight led to these accounts still being capable of receiving the twenty-five digit Xbox gift card codes. Kvashuk could have reported the flaw to his higher-ups (which might have led him to a nice bonus), but instead, he chose the money.
At first, Kvashuk kept it low and generated 5 or 10 dollar codes for him. (And if he would have kept it at that, he might have had nothing more than a warning from Microsoft with the cash amount deducted from his pay. Because that would be just spare change for the company.) But later, he started to use the exploit more by cycling through the colleague’s profiles to hide his tracks, and then create a program, which was described by software prosecutors as such: „[it was] created for one purpose, and one purpose only: to automate embezzlement and allow fraud and theft on a massive scale.”
Kvashuk would sell these codes on Paxful for instance (a crypto marketplace), selling them in bulk at a discount, which would then allow the buyers to resell them at a profit. ChipMixer (a money-laundering site) would have let him hide his trail, but the fact that his lifestyle evolved more towards a lavish manner did not help matters, even though he had a solid pay at Microsoft, according to Bloomberg. But that wouldn’t have been enough to get a seaplane, a yacht, and multiple lavish houses in Maui, California, or Mercer Island… and he had transferred 2.8 million dollars to his bank account, so he had money to buy all these.
Microsoft noticed the exploit because it found a significant spike in gift card transactions. This led to federal agents eventually raiding his home in July 2019. In the court, Kvashuk tried to argue that the mass theft was simply an experiment to increase store spending, which led nowhere, as Kvashuk was deported back to Ukraine to spend nine years in prison (and don’t forget the fine he has to pay).
Who knows how his life would have continued if he simply alerted Microsoft of the flaw because the company would have paid him handsomely for finding it…
Source: PCGamer
Leave a Reply