Volodymyr Kvashuk, Microsoft employee, stole over $10 million in Xbox gift cards while working as an engineer responsible for testing the company’s e-commerce infrastructure. He took advantage of a bug in Microsoft’s test store that caused actual gift card codes to be sent to him without having to pay a dime.
Microsoft had a testing system that allowed employees to make simulated purchases using fake credit cards. The system knew it wasn’t delivering any physical items, but a software bug caused it to send digital content without using real money. Kvashuk became aware of the bug, but instead of reporting it, he used it to generate gift card codes worth millions of dollars that he could then sell at a discount online.
People interviewed describe Kvashuk as “cocky”. He hacked into his teammates’ accounts so as not to be a suspect himself, and wrote a program that could automatically steal gift card codes while he was working or enjoying his loot. One of the passwords was ‘VerySecret1’, and another was ‘$tore123’. Considering that these passwords belong to accounts used by Microsoft security specialists, they are not very secure.
Kvashuk was selling the codes for his stolen gift cards on Paxful.com, a site that acts as a marketplace for people who want to exchange gift cards for cryptocurrency. Kvashuk’s buyers ranged from high school students trying to get a discount purchase to potential criminal organizations: A buyer named Makoo told Kvashuk that he had to “contact the boss.”
Kvashuk first noticed the bug sometime in 2017, and Microsoft was tracking it in February 2018. Microsoft’s Fraud Investigation Team, or FIST, noticed a big spike in gift card usage. It turns out that Kvashuk was selling so many codes that he was personally responsible for fluctuations in the market value of second-hand gift card codes.
Kvashuk was laid off in June 2018, and on July 16, 2019, federal agents raided his $1.67 million lakefront home., bought with the money he made from his scheme. He was put on trial for money laundering, identity theft and wire fraud. He was found guilty on all counts and in November 2020 he was sentenced to nine years in prison. Kvashuk says that “he was carried away by the opportunity to become an easy millionaire“.