The Xbox gift card is a 25-character code that adds a certain amount of money in dollars to the user’s wallet after its activation. This money can be spent on any of the company’s products – video games, Office and Windows software, etc.
According According to Bloomberg, these gift codes were often sold on reseller markets at a lower price. This reselling phenomenon can be traced to Volodymyr Kvashuk, a Ukrainian who lived in the US and, being a Microsoft employee, had unlimited access to the generation of such codes.
Testing of the payment system did find glitches
Volodymyr Kvashuk moved to the United States and got a job at Microsoft in 2017. Among his job duties was to test the payments system in the company’s stores. He “bought” a Dell laptop on the website, paid for it with a faux credit card, and documented errors. The system made the purchase and sent notifications, but the money was not debited, and the order was not shipped. After all, all these actions were only necessary to test the system.
In the winter of 2017, Kvashuk found that unlike buying physical products, every time he checked gift card purchases, the Microsoft Store sent real gift codes. The money was still not deducted, and the tester could generate an almost unlimited number of cards.
He realized that his team’s experimental accounts were programmed only to prevent them from sending fake purchases of physical goods such as PCs, tablets, keyboards, etc. Microsoft simply didn’t plan for its digital retail testers to order Xbox gift cards on the job. Kvashuk could have reported the vulnerability to his management, but instead, he started reselling them.
Underground business affecting global prices for the gift cards
Kvashuk started small, generating Xbox cards in increments from $10 to $100. But by the time federal agents arrested him almost two years later, he had stolen more than 152,000 Xbox gift cards, worth $10.1 million, and was living off the proceeds in a lakefront home with plans to buy a ski chalet, yacht, and seaplane.
In January 2018, Kvashuk built a computer program, PurchaseFlow.CS, to sell a really large number of gift cards. With a few clicks in the app, he could select a gift card denomination (30, 75, 100), the currency output (USD, EUR, GBP), and the desired number of purchases. Prosecutors later said the program was “created for one purpose, and one purpose only: to automate embezzlement and allow fraud and theft on a massive scale.”
At one point, Kvashuk reached such volumes that prosecutors said it began to influence global price fluctuations for Xbox gift cards on reseller markets. When prices dropped too low because of an oversupply of codes on the market, he would stop in the hope the lack of product would push the market upward.
Kvashuk bought a red Tesla Model S for $162,899 and then a modern house for $1.675 million. He explained his expenses are disproportionate to the income he earned by investing in cryptocurrencies.
Microsoft knew about the scam but couldn’t figure out the scammer
Kvashuk was very careful. Usually, he and his colleagues switched between a couple of fake profiles that they registered in the Microsoft store. To conceal his identity, Kvashuk figured out his colleagues’ passwords and used their test logins. Also, he masked his Internet traffic by routing it through servers in Japan and Russia.
But in February 2018, Microsoft’s Fraud Investigation Strike Team noticed an unexplained spike in online purchases using gift card codes that was about double normal redemption levels. Investigators assumed that the hack came from an “external bad actor” but soon realized that it was an inside job.
In March, corporate investigators traced the irregular activity to two internal test accounts assigned to Microsoft sales employees. The accounts, they learned, had already gobbled up almost $8 million in codes that were selling on the reseller markets.
Investigators questioned the employees behind those test accounts, who seemed like stunned victims, not perps. Microsoft determined that a testing program called Fiddler, which employees used to file bug reports, contained data divulging tester logins. Anyone with Fiddler access could have hacked the accounts.
The company soon discovered that one of Kvashuk’s accounts had bought three Nvidia graphics cards that had been shipped to a non-existent address. When asked whether he used the test accounts to generate codes, Kvashuk admitted to redeeming about 600 of them, but only for buying movies from the Microsoft store. Four weeks later, Microsoft fired Kvashuk.
FBI, searches, and jail
For a seemingly sophisticated engineer, Kvashuk had made many mistakes. Although he cloaked his address through international servers, he used the same Linux-based computer with the same outdated version of the Firefox browser to commit the theft. In addition, the Microsoft Office license he bought at the start of his scam was registered to an administrative account for SearchDom, his startup. This circumstantial evidence allowed Microsoft to link him to the crime.
Soon, federal agents, who had conducted their own investigation into Kvashuk after Microsoft referred the case to them, searched his home and found a lot of incriminating evidence, such as crypto wallet keys, notebooks with bank account information, USB drives stuffed with stolen codes, and lots of cash.
The agents also found a list of Kvashuk’s future investments. The list was written in Ukrainian and was titled: “How I will manage my next 10 million.”
In February 2020, federal prosecutors from the Western District of Washington brought Kvashuk to trial for money laundering, identity theft, mail fraud, and filing false tax returns.
Kvashuk’s attorneys argued that their client did not intend to defraud anyone. He generated the gift card codes to help the company because the more free gifts Xbox gave away, the more popular the platform would be, which would increase overall costs.
The judge and jury found his defense ridiculous and declared him guilty on all counts. He’s likely to be deported back to Ukraine after serving time in prison until March 2027 and will have to pay back $8.3 million.