Xbox Gift Card Fraud: How Did a Microsoft Employee Steal $10 Million, Get Bitcoins in Massive Con Job?

Xbox Gift Card Fraud: How Did a Microsoft Employee Steal $10 Million, Get Bitcoins in Massive Con Job?
A seemingly simple glitch in the system found by a junior engineer at Microsoft leads to two years of siphoning more than $10 million out of the tech giant. How was he able to do what is now called the Xbox Gift Card fraud? Photo : Billy Freeman/Unsplash

A two-year fraud scheme orchestrated by a Microsoft employee resulted in $10.1 million worth of Xbox gift cards stolen from the tech giant. A judge sentenced the swindler to nine years in prison, as reported by Bloomberg in depth.

Xbox Gift Card Fraud

Volodymyr Kvashuk, originally from Rivne Oblast in Ukraine, first arrived in the U.S. in 2015. He was attending the wedding of his aunt Alla who was marrying a dentist from Southern California.

In Ukraine, Kvashuk studied computer science and economics at a top university where his mother and father taught.

One reason Kvashuk's parents wanted him to stay in the U.S. after his aunt Alla's wedding was to seek asylum. He had joined protests in Kyiv in 2014 that culminated in the ousting of Ukraine's Russian-backed president.

His aunt and uncle put him up, he sought asylum, and he got a software gig reviewing JavaScript code. He also met and started dating a fellow Ukrainian expatriate, Diana Leonhard.

That following summer, in August 2016, Kvashuk secured a job as a software engineer at a company contracted with Microsoft to develop its online store. He was also able to set up a company with a fellow Washington-based entrepreneur named Lee Wang. SearchDom.AI was pitched as "our automated solution for all your marketing problems."

According to Bloomberg, it was unclear when exactly Kvashuk stumbled upon the gift card glitch in Microsft's security system, which is now closed for obvious reasons.

Sometime in 2017, Microsoft recruited him for a full-time engineering position with a $116,000 annual salary. His team ran simulated purchases on Microsoft's online store to look for glitches in the payment system. The purchases were acknowledged as fake, so devices like PCs, tablets, and keyboards weren't shipped once a transaction went through.

However, these didn't hold for Xbox gift cards.

The error churned out real 5x5 codes. These codes are a string of 25 letters and numbers e-mailed to the buyer and had the same purpose as those numbers and letters found on other gift cards like Apple or Applebee's.

These 5x5 codes have a dollar amount. So if you bought $20 in Xbox gift cards, you can spend $20 on Microsoft's store. And anyone can trade these 5x5 codes for cryptocurrency like Bitcoin and then turn that Bitcoin into cash.

Trades can be done anonymously. too.

Instead of reporting the glitch, Kvashuk placed test orders for dozens of gift card codes amounting to $2,000 and then $4,200, then, later on, worth a lot more. When he confirmed that the 5x5 codes were legitimate, one of the first things he redeemed with those codes was a $164.99 download of Microsoft Office.

To conceal his identity, he used his co-workers' mock profiles and used their test logins. When working from his apartment, he would mask his internet traffic by routing it through servers in Japan and Russia.

In January of 2018, to automate and speed up his fraud scheme process, he built a computer program called PurchaseFlow.CS. With a few clicks, gift card denominations, currency output, and the desired number of purchases were selected, and then it was off to embezzle from the company.

The Trades and The Good Life

In March 2018, Kvashuk did most of his business on Paxful.com under the name Grizzled Wold. He sold the gift cards for roughly 55 percent off and offered five more currencies for his overseas buyers.

At the time, Paxful didn't require verifiable government IDs allowing anonymity for its users.

The trades were done with cryptocurrency, usually Bitcoin, and for anyone interested in scrambling the blockchain, Kvashuk funneled some of his earnings through ChipMixer.com. The tool mixed Bitcoin around with different crypto of the same value to essentially clear the blockchain trail.

Paxful has since strengthened its compliance standards and improvised its anti-money-laundering technology. A ChipMixer spokesperson says the system is intended for privacy used by many individuals including some bad people.

The scrambled Bitcoin then goes into his account at Coinbase and there he'd sell it for cash.

In March, he deposited $1.4 million from Coinbase into his personal Wells Fargo & Co. checking account. The following month, an additional $935,000 was deposited.

When explaining this to his accountant, he says the Bitcoin earnings were simply a gift from his father.

Kvashuk bought a red Tesla Model S for $162,899 and then a modern $1.67 million house on Lake Washington with its own boat dock, which he bought in cash. He sent a screenshot of the property to his girlfriend Diana with "love you" as his message.

How Was the Xbox Gift Card Fraud Discovered?

The business was still going along just fine until Kvashuk ran into trouble with his supply. Certain 5x5 codes no longer worked when buyers tried to redeem them online, for whatever reason. Buyers would demand refunds, some phoned Microsoft's customer service number and were warned that the gift cards were stolen. His larger clients were also beginning to worry about the invalid codes, contacting Microsoft as well.

Grizzled Wolf was not happy, and called it a "s**t mess," saying if they had problems, send them to him, not to Microsoft. If the company starts tracking him down, he will just bail, per Bloomberg.

Based on his search histories, he was looking into acquiring a Canadian visa.

But since February 2018, Microsoft was already on the hunt. The company's Fraud Investigation Strike Team noticed an inexplicable spike in online purchases using gift card codes which were twice the normal redemption levels.

The fraud team theorized that the hack was from an "external bad actor" but soon realized it was an inside job.

In March 2018, corporate investigators traced irregular activity on two internal test accounts assigned to employees on Microsoft's store team. They blacklisted the accounts that had already wolfed down on almost $8 million in codes that were being sold on Paxful and other sites.

A third account began buying codes a few days later, managing to steal $1.6 million more Xbox gift card codes within 26 hours before Microsoft blocked it as well. The owners of those mock accounts were interviewed and they were all stunned, no frauds were brought in for questioning at that time.

The fraud team turned to Andrew Cookson, who handled forensic investigations into employee malfeasance at Microsoft for almost 15 years. The veteran detective of Scotland Yard's computer crime unit zeroes in on a new suspect: Volodymyr Kvashuk.

This is where Kvashuk's mistakes started to unravel and lead to his being fired four weeks after being questioned.

Read Also: Ethereum Price, Investment Predictions: ETH Value Decreasing, But JPMorgan Experts See $40 Billion Industry Amid Upgrades 

One mistake was Kvashuk's official test accounts showed a history of illegitimately acquiring Xbox gift cards in 2017 and some other stolen codes were connected to an order of three high-end GeForce graphics cards manufactured by Nvidia Corp. that was delivered to a "Grigor Shikor" in Kvashuk's old apartment building. He also used an outdated version of Firefox browser that had metadata that allowed Microsoft to connect him to the crime.

And the Microsoft Office license he first bought at the beginning was registered to an administrative account for his startup, SearchDom.

Kvashuk vaguely admitted to redeeming about 600 of the codes, but only to buy movies to watch with his girlfriend at home. He noted the Nvidia chips he used were for crypto mining, but he stressed that he neither remembered ordering them nor why they were mailed to a "Grigor Shikor." He told Cookson "I'm lost here."

He and Diana still lived lavishly in their new house, taking boat rides and vacations.

Kvashuk was able to secure another job at the digital division of the Sinclair Broadcast Group Inc., where his co-workers recall him being warm, collaborative, with a very chill demeanor like any other tech dude.

No one could have guessed how rich he was, although they had assumed he came from money when he showed up to work in his red Tesla.

Volodymyr Kvashuk Raided Over Microsoft Xbox Gift Card Scam

In July 2019, the federal agents who took over the case after Microsoft referred it to them, raided his lakefront abode, PCGamer said. They discovered a lot of incriminating evidence like crypto wallet keys, notebooks with bank account information, USB drives crammed with stolen 5x5 codes, and a lot of cash, including more than $4,000 in Diana's purse.

In a sheet of graph paper, Kvashuk also wrote his planned future investments in Ukrainian. Titled "How I will manage my next 10 million," the list included a $4 million home in Maui, a $1 million house in the mountains near a ski lift, a yacht, a seaplane, a house in California, and a house on Mercer Island.

Volodymyr Kvashuk Trial

In February 2020, federal prosecutors of the Western District of Washington took to trial for Kvashukthe following charges: money laundering, identity theft, and wire and mail fraud, as well as filing false tax returns.

Microsoft blacklisted many of the stolen gift cards before they were redeemed, and the IRS managed to trace laundered crypto funds but Kvashuk could still have millions hidden somewhere.

Kvashuk's attorney argued that he had no intention of defrauding anyone and he had generated those codes to help the company generate more popularity and in turn create more business. The list for his next $10 million he wrote was a motivational wish list, and it wasn't technically identity theft if the test accounts were fake IDs, to begin with.

He was still guilty on all counts. The judge and jury found his defense ridiculous.

After serving time in prison until March 2027, a total of nine years in jail, he is likely to be deported back to Ukraine and will have to make restitution of $8.3 million.

Related Article: 'Escape From Tarkov' Wipe Patch Guide: Patch Notes and How to Fix Error 106015 After Update

© 2021 iTech Post All rights reserved. Do not reproduce without permission.

More from iTechPost