Game over, man: Microsoft test engineer who laundered stolen Xbox credits into $10m guilty of fraud

Idiot faces up to 20 years in the clink after peddling digital tokens

A former Microsoft software engineer who screwed over his bosses to pocket $10m was found guilty of fraud yesterday.

Volodymyr Kvashuk, 25, was collared in mid-2019 following a probe that began in early 2018 when Microsoft's Fraud Investigation Strike Team (FIST) spotted an unusual spike in Xbox subscriptions bought using the tech giant's in-store credits.

Kvashuk, according to US federal court records, was tasked with testing Microsoft's online shopping system, and abused his developer access to create accounts and assign them store credits. Prosecutors told the Seattle court [PDF] the e-commerce testing environment had safeguards to prevent the purchasing of physical goods but lacked controls on digital stuff, such as in-store credits.


Five years in the clink for super-crook who scammed Google, Facebook out of $120m with fake tech invoices


And so Kvashuk, a Ukranian national living in Renton, Washington, created dummy test accounts, or used accounts created by colleagues, and topped them up with store credits that he then resold on the internet. Gamers would buy the credits with cryptocurrencies, and then use those credits to fund their subscriptions: the surge in credit use tipped off Microsoft's internal gumshoes.

Kvashuk even gave himself about $12,000 of Xbox store credit using his own credentials, which helps explain why he got caught. His seven-month scam enabled him to acquire a $1.6m home and a $160,000 Tesla, among other things.

Court documents stated he tried to conceal evidence of the fraud using a Bitcoin mixing service to obscure the source of the funds that eventually ended up in his bank account. He then filed fake tax returns stating the Bitcoin had been given to him by a relative.

According to Uncle Sam's lawyers, Kvashuk testified at trial that he didn't intend to defraud Microsoft, and that he was working on a special project for the benefit of Redmond bosses.

Assistant United States Attorney Michael Dion told the jury that testimony was "a house of lies on top of a previous house of lies."

The jury appeared to have taken that characterization to heart: it deliberated for just five hours before voting for conviction on 18 felony charges, including multiple counts of wire fraud, money laundering, aggravated identity theft, and filing false tax returns, and single counts of mail fraud, access device fraud, and access to a protect computer for the purpose of fraud.

Kvashuk is due to be sentenced June 1. He faces up to 20 years in prison. ®

Broader topics

Other stories you might like

  • Stolen university credentials up for sale by Russian crooks, FBI warns
    Forget dark-web souks, thousands of these are already being traded on public bazaars

    Russian crooks are selling network credentials and virtual private network access for a "multitude" of US universities and colleges on criminal marketplaces, according to the FBI.

    According to a warning issued on Thursday, these stolen credentials sell for thousands of dollars on both dark web and public internet forums, and could lead to subsequent cyberattacks against individual employees or the schools themselves.

    "The exposure of usernames and passwords can lead to brute force credential stuffing computer network attacks, whereby attackers attempt logins across various internet sites or exploit them for subsequent cyber attacks as criminal actors take advantage of users recycling the same credentials across multiple accounts, internet sites, and services," the Feds' alert [PDF] said.

    Continue reading
  • Big Tech loves talking up privacy – while trying to kill privacy legislation
    Study claims Amazon, Apple, Google, Meta, Microsoft work to derail data rules

    Amazon, Apple, Google, Meta, and Microsoft often support privacy in public statements, but behind the scenes they've been working through some common organizations to weaken or kill privacy legislation in US states.

    That's according to a report this week from news non-profit The Markup, which said the corporations hire lobbyists from the same few groups and law firms to defang or drown state privacy bills.

    The report examined 31 states when state legislatures were considering privacy legislation and identified 445 lobbyists and lobbying firms working on behalf of Amazon, Apple, Google, Meta, and Microsoft, along with industry groups like TechNet and the State Privacy and Security Coalition.

    Continue reading
  • SEC probes Musk for not properly disclosing Twitter stake
    Meanwhile, social network's board rejects resignation of one its directors

    America's financial watchdog is investigating whether Elon Musk adequately disclosed his purchase of Twitter shares last month, just as his bid to take over the social media company hangs in the balance. 

    A letter [PDF] from the SEC addressed to the tech billionaire said he "[did] not appear" to have filed the proper form detailing his 9.2 percent stake in Twitter "required 10 days from the date of acquisition," and asked him to provide more information. Musk's shares made him one of Twitter's largest shareholders. The letter is dated April 4, and was shared this week by the regulator.

    Musk quickly moved to try and buy the whole company outright in a deal initially worth over $44 billion. Musk sold a chunk of his shares in Tesla worth $8.4 billion and bagged another $7.14 billion from investors to help finance the $21 billion he promised to put forward for the deal. The remaining $25.5 billion bill was secured via debt financing by Morgan Stanley, Bank of America, Barclays, and others. But the takeover is not going smoothly.

    Continue reading

Biting the hand that feeds IT © 1998–2022