An oversight in accounts used to test Microsoft's payment systems let one engineer swindle his way into over $10 million after selling Xbox Gift Cards for Bitcoin over two years, a new report from Bloomberg (opens in new tab) revealed this week.
In order to make sure its payment systems work, Microsoft employs engineers to "simulate" purchases on its stores. But soon after joining the company in 2017, Volodymyr Kvashuk discovered that there was a flaw in the accounts used to test purchases. See, these simulated accounts are usually flagged as such by the system, and won't send you physical goods if you tried to buy, say, a new gamepad from its site. But if you tested a purchase of Xbox Gift Cards, you'd still receive a completely valid 25-digit code.
Kvashuk could've easily reported this to his bosses. But with unlimited free codes at his fingertips, he chose a different option instead.
At first, Kvashuk generated himself a handful of codes—a cheeky $5 or $10 here or there. But there was the opportunity to make massive, life-changing sums of money off this exploit. He began cycling through mock profiles belonging to his colleagues to hide his tracks, automating the process with a bespoke piece of software prosecutors would later describe as "created for one purpose, and one purpose only: to automate embezzlement and allow fraud and theft on a massive scale."
After acquiring these codes, Kvashuk would head to crypto marketplaces like Paxful to find prospective sellers. He'd sell them in bulk at a relative discount, which buyers would then go on to sell to folks who wanted to use the codes. Money laundering sites like ChipMixer would let him hide his trail, and the proceeds went towards facilitating an increasingly lavish lifestyle.
As Bloomberg notes, Kvashuk's Microsoft salary was hardly stingy. But it wasn't the kind of money that let you plan for a seaplane, a yacht, and multiple lavish houses in Maui, California and Mercer Island, among other locations.
Microsoft was eventually clued in to Kvashuk's antics after noticing a sharp spike in gift card transactions, with federal agents eventually raiding his home in July 2019. In court, Kvashuk tried to argue that the mass theft was simply an experiment to increase store spending.
Obviously, it didn't fly. Kvashuk was sentenced to 9 years in prison, likely deported back to his home country of Ukraine, and will be charged restitution of $8.3 million. I'm afraid there's not a gift card in the world that'll cover that expense.