Ex-Microsoft employee stole $10million in Xbox gift cards for Bitcoin

A former Microsoft employee exploited a bug in the company’s e-commerce system that allowed him to generate $10million worth of Xbox gift cards sold over two years.

As reported in Bloomberg, Volodymyr Kvashuk was hired at Microsoft’s headquarters in Redmond, Washington in 2017 as a junior engineer to test the company’s e-commerce infrastructure.

This involved simulating payments on purchases on Microsoft’s online store with a “faux credit card” that would be flagged in the system to prevent physical goods being sent out.

However, Kvashuk discovered a flaw where if he tested a purchase of Xbox gift cards, the system would generate a valid 25-digit code. Instead of reporting the bug, he decided to exploit it for his own financial gain.

To cover his tracks, he also used mock profiles belonging to his colleagues by guessing their passwords, as well as routing his servers in Japan and Russia to mask his internet traffic.

Microsoft Online Store
Microsoft Online Store. Credit: Microsoft

By January 2018, Kvashuk had built a bespoke computer program that prosecutors described as being “created for one purpose, and one purpose only: to automate embezzlement and allow fraud and theft on a massive scale.”

Kvashuk then sold his illegally acquired codes in bulk at a discount in exchange for Bitcoin before processing them through money laundering sites to hide his trail.

The fraud had begun at a small scale, with Xbox cards generated in increments from $10 to $100. But by the time federal agents had caught up with him two years later, the value of Xbox gift cards he had stolen was worth $10.1million.

The scale of the fraud ultimately led to Kvashuk’s undoing as Microsoft had noticed a spike in online purchases from gift card codes. He was also hardly subtle about his ill-gotten wealth, using the proceeds to buy a seven-figure lakefront home.

When federal agents raided his home in July 2019, they also found a list detailing his future investments, including a $4million home in Maui, a yacht, and a seaplane.

Kvashuk was tried in February 2020 for money laundering, identity theft, wire and mail fraud, as well as filing false tax returns. In November, a judge sentenced him to nine years in prison. He is likely to be deported back to his home country of Ukraine once he has served his sentence and will have to make restitution of $8.3 million.

Elsewhere, head of Xbox Phil Spencer has said that studio acquisitions are a natural and healthy part of the industry.