Microsoft Heist of $10M!

Volodymyr Kvashuk likely isn’t a name you’ve heard before. Had his scheme gone according to plan, it would’ve stayed that way and he could have walked away with over 10 Million Dollars. Stolen from Microsoft. Turns out, things didn’t go so well for Kvashuk. Here’s the story of the Microsoft Heist of $10M! 

Volodymyr Kvashuk received a $15 code a few weeks before Christmas, in 2017, among a batch of 20 others worth $300 altogether. But the engineer, who went by Vova for short and was in his mid-20s, hadn’t paid for the Xbox gift cards himself, nor were they some early holiday present from relatives.

Vova  was originally from Rivne Oblast, in the western part of Ukraine. He’d studied computer science and economics at a top university where his mother and father taught. Apparently he was clever but average student. A report card shows he received a C in finance and a D in risk management.

He like all the normal things in life. Drinking beers while playing Minesweeper and World of Warcraft games, did a little bit of boxing for Fun, and rode a motorcycle.

Kvashuk first arrived in the U.S. from Ukraine in 2015 to attend the wedding of his aunt Alla, who was marrying a dentist from Southern California.

Like so many of us he fell in love with the SoCal lifestyle, the sun sea, surf, good vibes. Also he got himself a girlfriend and a software gig reviewing JavaScript code.

He sounded like he was living the dream eh?

He even had a legit side hustle…

In his spare time, Vova and a fellow Washington-based entrepreneur named Lee Wang started a company, SearchDom.AI, which they pitched as an “automated solution for all your marketing problems.”

The Microsoft Heist of $10M beginnings…

Here’s how it started. So in 2016, Vova started Microsoft as a tester, placing mock online orders to make sure everything was working smoothly.

His team’s focus was to simulate purchases on Microsoft’s online store, looking for glitches in the payments system. This meant making lots of pretend purchases in the store. If Kvashuk added a computer to his shopping cart, he’d use a fake credit card number Microsoft had provided to complete the transaction, and document any errors that may pop up. So that way he could test the whole sales process and the system knew the purchase was fake. So it wouldn’t deliver the device to him. At least that was what was supposed to happen.

Then Kvashuk found a bug that would change his life, a flaw so stupidly obvious that he couldn’t bring himself to report it to his managers. While the software automatically prevented shipment of physical products to testers like Vova. It didn’t block the purchase of virtual gift cards.  

To be clear when he did a “test” shop and used his fake credit card number from Microsoft to buy a gift card. The gift card number that it churned out was a real one that could be used to buy anything from the Microsoft store. So the 26-year-old Kvashuk discovered that he could use his test account to buy real store credit and then use the credit to buy real products.

Free Money

 So it must have dawned on him that he could generate virtually unlimited codes, all for free. However, what he should have done is gone to a supervisor and pointed out the problem. Got this little error sorted out. He could have just left it alone.

While this was not the case. The temptation was too much.

A former senior engineer on Vova’s team, says this was the  equivalent bank leaving its vault unlocked. 

“Sooner or later, someone’s going to try to get away with taking $20,” the ex-Microsoft employee says. “When they don’t get caught, they figure, ‘All I need is six guys to empty out the safe one night when no other employees are around.’ 

So Vova started small he bought a Microsoft Office subscription, but when no one objected to that an some other small purchases…he scaled up. Of course as you scale up you need to keep the heat off your back.

So, he worked from his apartment , masking his internet traffic by routing it through servers in Japan and Russia. 

After placing a  couple test orders, dozens of gift card codes immediately appeared, worth $2,000, then $4,200, and eventually a lot more.

Also Kvashuk and his co-workers usually switched between a couple of these mock profiles and presumably the fake credit card details. When they were working, to conceal his identity, though, Kvashuk figured out his colleagues’ passwords and used their test logins.

Lets not forget….Vova was a techy, and having to make each transaction one by one manually must have got boring. So in January 2018, Kvashuk built a computer program,  called PurchaseFlow.CS, to speed things up. 

Going into Overdrive Microsoft Heist of $10M!

With PurchaseFlow.CS fired up, in just a few clicks h he could select a gift card denomination like  (20, 30, 75, 100), the currency output (U.S. dollars, euros, British pounds), and the desired number of purchases. 

Prosecutors later said the program was:

“created for one purpose, and one purpose only: to automate embezzlement and allow fraud and theft on a massive scale.”

I can hear you asking though. How comes this didn’t get flagged earlier? Well you have to understand the sheer size of the gift card business for Microsoft and how well they work for them as a company.

Here is how big gift cards are for Microsoft. Microsoft briefly considered outsourcing its gift cards to a third-party provider such as Visa Inc., but the business was too lucrative and the company didn’t want to give Visa a cut. Now when Visa asks for a transaction fee cut it’s usually only a few percent. So for a small percentage to be worth so much to a company must been that they are turning over A LOT.

Also the gift cards also served as a low-cost promotional tool: Microsoft occasionally gives them to gamers to generate goodwill and has to count the giveaway as a marketing expense only if the cards are redeemed, which, of course, they often aren’t. 

Also Microsoft incurs fewer transaction fees from gift card redemptions than it does when it processes a credit card sale.

So by the time Vova started his scam, the company’s virtual bank was facilitating hundreds of millions of dollars in transactions. Would anyone notice if some of it went missing? 

With his new programme PurchaseFlow.CS working away Vova was filling up Excel Page after Excel  page of microsoft codes. With that the same Microsoft Office subscription he used at the start! Vova’s Excel sheet full of codes would total 2,344 pages. So now it was time to cash out!

Selling Out

Vova decided to get rid of the gift cards, the place he was going to do it was Paxful.com, a leading marketplace for trading gift cards for cryptocurrency like Bitcoin. While, at the time, Paxful didn’t require verifiable government IDs, allowing users to stay anonymous. For Vova this was perfect.

The platform is popular with bulk buyers and sellers, who barter via chat message. Paxful holds the crypto in escrow until a trade is agreed upon and then the customer gets their order and you get your crypto cash!

Vova crated the user name “Grizzled Wolf” and placed a mouth watering offer in early 2018:

“Xbox gift cards in denominations of $30, $50, and $75, for roughly 55% off….Looking for a trading partner…. “We start trade, I give you code. If I’m online, it’s instant.”

He also offered the same deals in other currencies like Australian dollars and Japanese yen.

So along came a customer by the name of Makoo. Makoo ordered almost 30 grand worth of Xbox cards from Grizzled Wolf. The transaction went smoothly and presumably Makoo went on to sell the codes as singles for a some profit. But Vova aka Grizzled Wolf wanted to go big or go home. He pushed Makoo and other traders for larger transactions.

While in the end Makoo and another Paxful user accounted for about $7 million in transactions of Microsoft gift cards. They were probably backed by someone else who was bankrolling these transactions.

Bloomberg amanged to get in contact with a small timer called Avstebone aka Avi Rachlin, who is now 19 and studying business at Penn State University. He said:

“A ton of my friends on the school bus played Xbox, so I would buy these codes from this dealer on Paxful at a steep discount, and then resell them to my friends, still at a great discount,” explains Avsterbone,

 “If I’m getting 50% off, they’re getting 25% off. Everyone’s winning—except, as we now know, Microsoft.”

Vova was getting bitcoin which I know people generally think is super untraceable. However people transacting with Bitcoin can keep their identities anonymous, but the numbers corresponding to any transaction are tracked on a digital public ledger. Known as the blockchain, creating a record for government authorities. So you can be tracked.

 So Vova needed a way around it. He  attempted to avoid this by funnelling some of his earnings through ChipMixer.com, which U.S. prosecutors defined it as an

“ internet money laundering tool that acts as a “blender” to mix around Bitcoin with different crypto of the same value, “to obscure and conceal the original source” and “obliterate the blockchain trail.” 

However a ChipMixer spokesperson says the system is intended for privacy and that it’s “used by many individuals and some may be bad people.”

Vova then transferred the replacement Bitcoin into his account at Coinbase, which is a well known crypto wallet. He then sold his Bitcoin for money. 

LOTS OF CASH

In March 2018 he deposited $1.4 million from Coinbase into his personal account. Then an additional $935,000 in April.

He told his accountant that the monies were simply a gift from his father. This is where Vova started to flash the cash a little.

He bought a red Tesla Model S for $162,899 and then a modern $1.675 million house to match on Lake Washington with a boat dock IN CASH!

But while all was looking lovely on the outside investigators did pick up signs of stress. Web search histories suggest he was trying to quit alcohol and looking into acquiring a Canadian visa. Business was still humming, but Kvashuk began running into trouble with his supply. 

For some odd reason, certain 5×5 codes were no longer working when buyers tried to redeem them online. 

Remember Avsterbone, the high schooler? His codes stopped working for him and his friends. So he demanded a refund.

Avsterbone also told Vova he’d phoned Microsoft’s customer service number and was warned that the gift cards had been reported stolen. 

Vova aka ’Grizzled Wolf issued refunds, provided new gift cards to other customers, and blamed his “supplier” for any “dead” codes.

After receiving a bunch of invalid codes, Makoo also contacted Microsoft, infuriating Vova who said:

 “Damn, man, you should not send this request to Microsoft. Send them to me,” “If they will start tracking me down, I will just bail.”

However, Microsoft were already on the case. 

Microsoft Heist of $10M! – Microsoft’s Payback.

In February 2018, the company’s Fraud Investigation Strike Team aka FIST noticed an inexplicable spike in online purchases using gift card codes. Probably from the PurchaseFlow.CS programme Vova set up that was creating thousands of codes!

According to an internal report, Microsoft’s fraud team theorised that the hack came from someone outside of the company at first but soon realised it was an inside job.

In March corporate investigators traced irregular activity to two internal test accounts assigned to employees on Microsoft’s store team. The accounts, they learned, had already gobbled up almost $8 million in codes that were selling on Paxful and other sites. They blacklisted the test accounts. But then a third account to begin buying codes a few days later. That account managed to steal $1.6 million more of Xbox gift cards within 26 hours before Microsoft blocked it, too.

The net started to tighten as investigators questioned the employees behind who had access to test accounts. Which was not very successful. 

FIST figuring things out….

FIST worked out that a program called Fiddler, which employees used to file bug reports, contained data divulging tester logins. Anyone with access to Fiddler could’ve hacked the accounts, suggesting that some other employee or contractor might be responsible.

But the FIST armed with FIDDLER info wasn’t enough. They needed to wheel in the big guns. A veteran detective of Scotland Yard’s computer crime unit, Andrew Cookson. Cookson quickly zeroed in on a new suspect: Volodymyr Kvashuk aka VOVA…

Cookson and FIST using FIDDLER found that one of Kvashuk’s official test accounts had bought some Xbox gift cards illegitimately in 2017. 

More suspiciously, Kvashuk was connected to another batch of stolen codes that had been used at Microsoft’s web store to buy three high-end GeForce graphics cards, manufactured by Nvidia Corp. 

The buyer had shipped them to “Grigor Shikor” at unit 309 of the Norman Arms in Seattle. Nobody by that name lived at the Norman Arms, and the highest unit number was 308. Kvashuk had lived in 101. 

Although he thought he hid his usage through international servers, he hadn’t done well enough as they found a trail of breadcrumbs which included an outdated version of Firefox..which lead right back to him.

Discoveries….

Investigators even discovered that the Microsoft Office license he bought at the start of his scam was registered to an administrative account for SearchDom.

On July 16, 2019, his work accounts deactivated and it was time for the federal agents to get involved.

They found after searching his place, a haul of evidence including: 

  • Crypto wallet keys
  • Notebooks with bank account information
  • USB drives crammed with stolen 5×5 codes
  • Wads of cash

They also found Vova’s wish list called  “How I will manage my next 10 million.”

Which included:

  • A $4 million home in Maui
  • A $1 million house in “the mountains near ski lift,”
  • Just“1 yacht.”

In February 2020, federal prosecutors from the Western District of Washington took Kvashuk to trial for money laundering, identity theft, and wire and mail fraud, as well as filing false tax returns. The IRS managed to trace laundered crypto funds. 

But said Kvashuk took “steps to conceal the money trail from his crime. He could have millions hidden somewhere.”

According to prosecutors, Vova’s code making wa so prolific that it got to the point where his money-printing scheme was “singularly responsible for global fluctuations in the price of Xbox gift cards on reseller markets.”

Vova’s Excuse for the Microsoft Heist of $10M! 

Kvashuk’s attorneys argued that their client had no intention of defrauding anyone. He had generated the gift card codes to help the company because the more freebies Xbox gave away, the more popular the platform would be, increasing overall spending. So, his logic went, why not give away tens of thousands of free Xbox gift cards to test if that somehow boosted engagement and sales down the road?

Anyway of course, the judge and jury found his defence ridiculous and declared him guilty on all counts. He’s likely to be deported back to Ukraine after serving time in prison until March 2027 and will have to make restitution of $8.3 million.

(Bloomberg, PC Gamer, American Justice Dept)

For bonus patron only episodes of How To Kill An Hour, ad-free content and more sign up to our Patreon here

Listen to the guys chatting about this by clicking here!

Keep up to date with everything How To Kill An Hour by signing up to our newsletter by clicking here!

Let us know what you think of the show by clicking here!

Click here to subscribe to our YouTube Channel to see more amazing ways to kill time!

Follow us on Twitch by clicking here!