This article is more than 1 year old
Ex-Microsoft dev used test account to swipe $10m in tech giant's own store credits, live life of luxury, Feds allege
'No safeguards' on QA accounts, and suddenly this guy gets a Tesla and $1.6m home, say prosecutors
A former Microsoft software engineer was arrested on Tuesday and charged with mail fraud for allegedly attempting to steal $10m in digital currency from his former employer, US prosecutors said today.
Volodymyr Kvashuk, 25, a citizen of Ukraine residing in Renton, Washington, initially worked for Microsoft as a contractor and was hired as an employee in August 2016, where he remained employed until he was dismissed in June 2018.
Kvashuk, according to the prosecution's complaint [PDF], filed in a US federal district court in Seattle, was a member of Microsoft's Universal Store Team (UST), tasked with handling the company's e-commerce operations.
The UST "is the main commercial engine of Microsoft with the mission to bring One Universal Store for all commerce at Microsoft," explained Sam Guckenheimer, product owner for Azure DevOps at Microsoft, back in 2017. "The UST encompasses everything Microsoft sells and everything others sell through the company, consumer and commercial, digital and physical, subscription and transaction, via all channels and storefronts."
As described in the complaint, UST members set up dummy customer accounts with the Microsoft online store linked to specially created email addresses and test-in-production credit cards for making store purchases without generating an actual charge. Team members then whitelist their test accounts to bypass Microsoft's security and risk mitigation systems.
But in designing its testing system, Microsoft overlooked a significant attack vector. "The testing program was designed to block the delivery of physical goods," the complaint explains. "Microsoft did not anticipate testers would make test purchases of digital currency ("Currency Stored Value" or "CSV") and thus no safeguards were put in place to prevent the delivery of CSV."
So a tester could make test purchases of Microsoft digital gift cards, obtaining a valid product key that could be redeemed to add value to a digital wallet associated with the purchaser's account. The electronic funds credited could then be used to buy digital or physical Microsoft products from its store.
Kvashuk, it's alleged, bought some Microsoft goods himself and also sold much of the currency – $10m worth, it's claimed – to third-parties, at a discount to its face value.
GiftGhostBot scares up victims' gift-card cash with brute-force attacksREAD MORE
The scheme supposedly began in 2017 and escalated to the point that Kvashuk, on a base salary of $116,000 per year, bought himself a $162,000 Tesla and $1.6m home in Renton, Washington.
Kvashuk, the complaint suggests, was undone by Microsoft's UST Fraud Investigation Strike Team (FIST), which noticed a suspicious increase in the use of CSV to buy subscriptions to Microsoft's Xbox gaming system in February 2018. The investigators traced the digital funds, which had been resold on two different websites, to two whitelisted test accounts.
From there, FIST proceeded to trace the accounts and transactions involved. With the assistance of the US Secret Service and the Internal Revenue Service, investigators concluded that Kvashuk had defrauded Microsoft, despite efforts to conceal his identity with fake accounts and to hide public blockchain transactions using a Bitcoin mixing service.
In addition to service provider records that point to Kvashuk, the complaint notes that Microsoft's online store uses a form of device fingerprinting called a Fuzzy Device ID. Investigators, it's claimed, linked a specific device identifier to accounts associated with Kvashuk.
Authorities have asked that Kvashuk be detained, claiming that he may attempt to flee the country or obstruct justice. If convicted of mail fraud, the former Microsoft software engineer could face as much as 20 years in prison and a $250,000 fine. ®