From White Hat to Black Hat: How a Former Microsoft Employee Stole $10 Million from the Xbox Store

A former Microsoft employee turned black-hat found a $10 million glitch that changed his life, forever.

2954

Volodymyr Kvashuk, 26, a former software engineer at Microsoft was hired in 2016 to test the company’s e-commerce structure. Commonly known as a “white hat hacker” position, Kvashuk was required to make purchases using fake accounts to identify any and all bugs and glitches in the company’s online payment system.

However, what he didn’t expect was to find a $10 million way out of his job and to live out his life as he saw it. According to a report by Bloomberg, Kvashuk discovered a technological glitch during his employment at Microsoft that would allow him to generate a redeemable 25-digit code every time he performed a fake transaction for a Microsoft gift card. Ultimately, this vulnerability allowed him to generate an endless amount of codes that he could use on Microsoft’s digital storefront to purchase an endless number of digital items (or if we’re being blunt, any online video game) from the Xbox store.

Seven Months of Livin’ Large

But where Kvashuk went dark, and I mean dark, was his failure to report this vulnerability to his manager or higher-ups, quietly reaping the benefits of the glitch, exploiting his new ability to sell newly generated codes to third-party websites at a discounted rate. As he was transferring that money to his bank accounts, he used a bitcoin mixing service, which would conceal the paper trail of how he initially came across those funds.

Seven months later, he was rolling in the deep, taking his $2.8 million in bitcoin, and transferring it into his bank and investment accounts. If that wasn’t enough, he then proceeded to file fake tax returns, claiming the bitcoin he was receiving was a “gift” from a relative.

If there’s one thing we know, is never screw with the IRS; they will always find you.

An $8.3 Million Verdict

Of course, Microsoft eventually found out what their former software engineer was up to, firing Kvashuk in 2018. In February 2020, he was convicted of 18 federal felonies, facing deportation back to Ukraine, and will have to pay $8.3 million in damages.

He was charges with five counts of wire fraud, six counts of money laundering, two counts of aggravated identity theft, two counts of filing false tax returns, and one count each of mail fraud, access device fraud, and access to a protected computer – a crime under 18 USC 1030 of the U.S. Criminal Code.

“Stealing from your employer is bad enough, but stealing and making it appear that your colleagues are to blame widens the damage beyond dollars and cents,” said U.S. Attorney Moran.  “This case required sophisticated, technological skills to investigate and prosecute, and I am pleased that our law enforcement partners and the U.S. Attorney’s Office have the skill sets needed to bring such offenders to justice.”

According to the Department of Justice, Kvashuk used the proceeds to purchase a $1.6 million dollar lakefront home and a $160,000 Tesla vehicle. However, he didn’t start off large, initially stealing smaller amounts around $12,000 in value with his own online account access (before using other employee’s accounts). As his thievery began to escalate, so did the value of money he took, eventually using test email accounts associated with other emails in attempts to conceal his own tracks.

“Kvashuk used the proceeds to live the life of a millionaire, driving a $160,000 car and living in a $1.6 million waterfront home.  Kvashuk’s scheme involved lies and deception at every step.  He put his colleagues in the line of fire by using their test accounts to steal CSV.  Rather than taking responsibility, he testified and told a series of outrageous lies.  There is no sign that Kvashuk feels any remorse or regret for his crimes,” prosecutors wrote to the Court.

Kvashuk is currently in prison and is expected to be released in March 2027. The case was investigated by the Internal Revenue Service Criminal Investigation, Western Cyber Crimes Unit and the U.S. Secret Service.

In a statement, Internal Revenue Service Criminal Investigation Special Agent in Charge Ryan Korner notes that the case was the first of its kind to involve federal tax charges related to bitcoin transactions.

“The Volodymyr Kvashuk trial marked a big win for IRS Criminal Investigation and the federal cybercrimes team. Kvashuk’s criminal acts of stealing from Microsoft, and subsequent filing false tax returns, is the nation’s first bitcoin case that has a tax component to it,” Korner says.

This case adds to the growing number of “insider” cases where security breaches come within the company itself, due to someone who has access, but exceeds the scope of that access; or someone who doesn’t have access and attempts to take advantage of their position in hopes of gaining access. As of May 2020, the insider threat cases now account for about 30% of breaches and security incidents that organizations and security teams must address, according to the 2020 Verizon Data Breach Investigations Report.

“Kvashuk could have been useful to Microsoft, but instead, received the harsh punishment for keeping the company in the dark,” said Brandon Deboer, computer programmer and CEO of At A Glance Media. “With what he discovered, Microsoft could have lowered the prices of its services to make more sales, as the lower the price, the more consumers that would be willing to make a purchase.”

Deboer, a computer engineer and developer whose passion for cybersecurity and computer systems came at an early age, believes that Kvashuk’s talents could have been used differently, rather than keeping him in prison. “He was effective at discovering these types of glitches; why not help the company discover more glitches in the future, but under a closer watch?”

The 2020 Verizon Data Breach Investigations Report released in May notes that insider threat cases now account for about 30% of breaches and security incidents that organizations and their security teams must confront.

LEAVE A REPLY

Please enter your comment!
Please enter your name here