The Xbox gift card came with a string of 25 letters and numbers. The digits, known as a 5x5 code, were sent in an email, but they were no different from the numbers and letters etched onto the gift cards hanging off tall racks near the checkout aisle at CVS or Target, arrayed in a Rubik’s Cube of colors. These stores sell them on behalf of Apple, Applebee’s, Disney, Domino’s, and pretty much every other company you can think of, including Microsoft Corp., which markets its cards under the Xbox brand. The cards themselves, of course, are worthless, but each 5x5 code corresponds to a dollar amount. In this case the code, DD9J9-MXXXC-3Y6XD-3QH2C-PWDWZ, was worth $15 toward the purchase of anything that Microsoft sold online—video games, Office and Windows software, Lenovo laptops, Sonos speakers, and the like.
In this way, gift cards can be thought of as a sort of digital currency, not unlike Bitcoin. The comparison may seem silly, given that gift cards date to the bygone era of Blockbuster Video, but today there are online marketplaces where anyone can trade gift card codes for Bitcoin and then turn the spoils into cash. These markets inevitably attract speculators and, because trades can be conducted anonymously, scammers.
Volodymyr Kvashuk received the $15 code a few weeks before Christmas, in 2017, among a batch of 20 others worth $300 altogether. But the engineer, who went by Vova for short and was in his mid-20s, hadn’t paid for the Xbox gift cards himself, nor were they some early holiday present from relatives. Kvashuk had recently begun a full-time job at Microsoft’s headquarters in Redmond, Wash., testing the company’s e-commerce infrastructure.
His team’s focus was to simulate purchases on Microsoft’s online store, looking for glitches in the payments system. This meant making lots of pretend purchases in the store. If Kvashuk added a Dell PC to his shopping cart, he’d use a faux credit card Microsoft had provided, complete the transaction, and document any errors. The system knew the purchase was fake and wouldn’t deliver the device to his doorstep. At least that was what was supposed to happen.
Then Kvashuk found a bug that would change his life, a flaw so stupidly obvious that he couldn’t bring himself to report it to his managers. He noticed that whenever he tested purchases of gift cards, the Microsoft Store dispensed real 5x5 codes. It dawned on him: He could generate virtually unlimited codes, all for free. A former senior engineer on Kvashuk’s team—who, like other sources in this story, spoke on the condition of anonymity to avoid being publicly associated with the wrongdoing that followed—says this was the Halo-age equivalent of a frontier bank leaving its vault unlocked. “Sooner or later, someone’s going to try to get away with taking $20,” the ex-Microsoft employee says. “When they don’t get caught, they figure, ‘All I need is six guys to empty out the safe one night when no other employees are around.’ ”
Kvashuk started small, generating Xbox cards in increments from $10 to $100. But his haul quickly escalated. By the time federal agents caught up with him almost two years later, he had stolen more than 152,000 Xbox gift cards, worth $10.1 million, and was living off the proceeds in a seven-figure lakefront home with plans to buy a ski chalet, yacht, and seaplane. This past November, a judge sentenced him to nine years in prison.
The scale of Kvashuk’s scheme, reported here in depth for the first time based on a review of thousands of pages of court documents and interviews with current and former Microsoft employees, investigators involved with the case, and Kvashuk’s family and friends, reveal a playbook that included computer hacking, Bitcoin rackets, and gift card arbitrage. At one point, Kvashuk, who didn’t respond to repeated requests for comment, was flipping so many 5x5 codes that prosecutors said he was singularly responsible for global fluctuations in the price of Xbox gift cards on reseller markets. When prices dropped too low, he’d withhold his supply in the hope the drought would push the market upward. “This was an old-school crime with a high-tech MO,” says Michael Dion, the lead attorney in the government’s criminal case against Kvashuk.
At a moment of scrutiny for digital currencies, the fraud and ensuing investigation show how apparently meaningless jumbles such as DD9J9-MXXXC-3Y6XD-3QH2C-PWDWZ can hold real value—and also how prone they are to manipulation. As Kvashuk himself claimed to investigators, he couldn’t have done anything illegal because the digital currency he siphoned from Microsoft didn’t count as “real money.”
Kvashuk first arrived in the U.S. from Ukraine in 2015 to attend the wedding of his aunt Alla, who was marrying a dentist from Southern California. The U.S. si
de of his new extended family was charmed by his sturdy good looks and flawless English and how readily he took to SoCal life. The groom’s mother, Carole Lynn, recalls Kvashuk savoring the sun in Newport Beach and experiencing “the joy of trying surfing and putting on a wetsuit. It was like, ‘This is the American dream.’ ”
He was originally from Rivne Oblast, in the western part of the country. He’d studied computer science and economics at a top university where his mother and father taught. Friends remember him as a clever but average student. (A report card shows he received a C in finance and a D in risk management.) He loved drinking beers while playing Minesweeper and World of Warcraft games, boxed for fun, and rode a motorcycle. His Facebook photo featured him on his Yamaha, a Barbie doll strapped to the backseat, her arms outstretched to the sky.
In 2014, Kvashuk had joined the protests in Kyiv that culminated in the ousting of Ukraine’s Russian-backed president—one reason his family wanted him to stay in the U.S. after Alla’s wedding. His aunt and uncle put him up, he met with an immigration attorney to seek asylum, and he landed a software gig reviewing JavaScript code. He also started dating another Ukrainian expatriate, Diana Leonhard, who was prone to posting radiant selfies on Instagram with captions gushing about her sun-kissed life in the #USA.
Former college classmate Ivan Zvaryka, who kept in touch with Kvashuk over Skype, says culture shock was inevitable. “Coming from a post-Soviet country to a modern one like the U.S. or Canada might make you feel like you’re in a movie or computer game,” he says. “Losing connection with reality that much is really strange.” By the following summer, in August 2016, Kvashuk got a job as a software engineer at a company contracted with Microsoft to develop its online store. He moved to a 500-square-foot one-bedroom at the Norman Arms, an aging apartment complex in Seattle not far from the University of Washington. His rent was $1,300—or $150 more than his dad’s monthly salary lecturing in Ukraine.
In his spare time, Kvashuk and a fellow Washington-based entrepreneur named Lee Wang started a company, SearchDom.AI, which they pitched as “our automated solution for all your marketing problems.” In comical ads uploaded to YouTube, the duo loudly banged on a cowbell and drum set and yelled “SEARCHDOM!” (Reached by phone, Wang says he doesn’t remember anything about Kvashuk and hangs up.)
At Microsoft, Kvashuk struck the former senior engineer as cocky for such a low-level contractor. He seemed to revel in a competitive environment where his co-workers were vying to invent “the next big thing,” as Kvashuk phrased it later in court testimony. “I would need to use every neuron of my brain to be able to create something outstanding and be able to compete with all of those geniuses,” he testified. “It’s like in movie Matrix, you know, you get to select blue pill or red pill.”
It’s unclear exactly when Kvashuk stumbled on the gift card glitch in Microsoft’s security system (which the company says has since been closed). But at some point in 2017, around the time Microsoft recruited him for a full-time, $116,000-a-year engineering position, he gleaned that his team’s experimental accounts were programmed only to prevent the e-commerce site from shipping fake purchases of physical goods: PCs, tablets, keyboards, and so on. Microsoft simply didn’t intend for its digital-retail testers to order Xbox gift cards on the job. Kvashuk could have reported the vulnerability to his bosses, but he took the red pill instead.
Kvashuk and his co-workers usually switched between a couple of mock profiles they registered under aliases with the Microsoft store team, often with perfunctory usernames and security credentials because the accounts were fake and seemingly useless outside Redmond. To conceal his identity, though, Kvashuk figured out his colleagues’ passwords and used their test logins. (“VerySecret1” was one not very secret password.) He worked from his Seattle apartment that fall, masking his internet traffic by routing it through servers in Japan and Russia. After placing test orders, dozens of gift card codes immediately appeared, worth $2,000, then $4,200, and eventually a lot more. One of his first redemptions, likely to confirm that the pilfered gift cards actually held value and that his scam would actually work, was for a $164.99 download of Microsoft Office.
In January 2018, Kvashuk built a computer program, PurchaseFlow.CS, to speed things up. With a few clicks in the app, he could select a gift card denomination (30, 75, 100), the currency output (U.S. dollars, euros, British pounds), and the desired number of purchases. Prosecutors later said the program was “created for one purpose, and one purpose only: to automate embezzlement and allow fraud and theft on a massive scale.”
Gift cards have been around since at least the 1990s, serving as last-minute stocking stuffers and a sort of compromise gesture that gives the recipient some flexibility and somehow feels more thoughtful than straight cash. In many ways, though, they’re worse than cash, slowly losing their value over time. Merchants sometimes charge service fees on cards or simply require that they be used before an expiration date, after which the money evaporates. Because a significant percentage of customers also forget about their cards, billions of dollars of neglected gift balances languish unclaimed every year. This is why companies love them: Unredeemed cards are pure profit.
Gift cards, like Microsoft’s digital currency, can reduce price transparency, too. In the mid-2000s, the company’s original Xbox gift card system was denominated in virtual points rather than dollars, making their actual value bewildering. Walt Mossberg, then the Wall Street Journal’s tech columnist, wrote in a 2006 review that the “deceptive” system required 79 Xbox Live Points to buy a song for Microsoft’s Zune media player, even though those 79 points cost 99¢, a point-to-penny ratio that fluctuated depending on where and how many you prepurchased.
A former top Microsoft e-commerce manager familiar with the system says this opacity was intentional. “The marketing requirement was: Don’t make the points equal to currency. If it’s a penny a point, it’s too easy for customers to just do the math in their head,” this manager says. The idea seems to have been that if consumers couldn’t quite grok what points were worth, they were more likely to spend it like play money. To further boost spending, the company initially offered points only in bulk “lots” of at least $5, meaning you couldn’t download a song without having a bunch of points left over. The pricing system left Microsoft open to shrewd traders who started reselling Xbox points, which was one reason, according to a former product leader, that the company switched in 2013 to gift cards based on what they termed “currency stored value,” or CSV: a $20 Xbox gift card is now worth $20.
The Xbox currency was hugely successful. According to two sources familiar with the matter, Microsoft briefly considered outsourcing its gift cards to a third-party provider such as Visa Inc., but the business was too lucrative and the company didn’t want to give Visa a cut. The gift cards also served as a low-cost promotional tool: Microsoft occasionally gives them to gamers to generate goodwill and has to count the giveaway as a marketing expense only if the cards are redeemed, which, of course, they often aren’t. Most significantly, the former e-commerce manager notes, Microsoft incurs fewer transactions fees from gift card redemptions than it does when it processes a credit card.
By the time Kvashuk started his scam, the company’s virtual bank was facilitating hundreds of millions of dollars in transactions. Would anyone notice if some of it went missing? Rows and rows of 5x5 codes were filling up Excel spreadsheets thanks to his embezzlement app. (That $164.99 Office download proved worthwhile; a printed-out version of his Excel sheet full of codes would total 2,344 pages.) Kvashuk was finally ready to make a huge withdrawal.
Full article
www.bloomberg.com
In this way, gift cards can be thought of as a sort of digital currency, not unlike Bitcoin. The comparison may seem silly, given that gift cards date to the bygone era of Blockbuster Video, but today there are online marketplaces where anyone can trade gift card codes for Bitcoin and then turn the spoils into cash. These markets inevitably attract speculators and, because trades can be conducted anonymously, scammers.
Volodymyr Kvashuk received the $15 code a few weeks before Christmas, in 2017, among a batch of 20 others worth $300 altogether. But the engineer, who went by Vova for short and was in his mid-20s, hadn’t paid for the Xbox gift cards himself, nor were they some early holiday present from relatives. Kvashuk had recently begun a full-time job at Microsoft’s headquarters in Redmond, Wash., testing the company’s e-commerce infrastructure.
His team’s focus was to simulate purchases on Microsoft’s online store, looking for glitches in the payments system. This meant making lots of pretend purchases in the store. If Kvashuk added a Dell PC to his shopping cart, he’d use a faux credit card Microsoft had provided, complete the transaction, and document any errors. The system knew the purchase was fake and wouldn’t deliver the device to his doorstep. At least that was what was supposed to happen.
Then Kvashuk found a bug that would change his life, a flaw so stupidly obvious that he couldn’t bring himself to report it to his managers. He noticed that whenever he tested purchases of gift cards, the Microsoft Store dispensed real 5x5 codes. It dawned on him: He could generate virtually unlimited codes, all for free. A former senior engineer on Kvashuk’s team—who, like other sources in this story, spoke on the condition of anonymity to avoid being publicly associated with the wrongdoing that followed—says this was the Halo-age equivalent of a frontier bank leaving its vault unlocked. “Sooner or later, someone’s going to try to get away with taking $20,” the ex-Microsoft employee says. “When they don’t get caught, they figure, ‘All I need is six guys to empty out the safe one night when no other employees are around.’ ”
Kvashuk started small, generating Xbox cards in increments from $10 to $100. But his haul quickly escalated. By the time federal agents caught up with him almost two years later, he had stolen more than 152,000 Xbox gift cards, worth $10.1 million, and was living off the proceeds in a seven-figure lakefront home with plans to buy a ski chalet, yacht, and seaplane. This past November, a judge sentenced him to nine years in prison.
The scale of Kvashuk’s scheme, reported here in depth for the first time based on a review of thousands of pages of court documents and interviews with current and former Microsoft employees, investigators involved with the case, and Kvashuk’s family and friends, reveal a playbook that included computer hacking, Bitcoin rackets, and gift card arbitrage. At one point, Kvashuk, who didn’t respond to repeated requests for comment, was flipping so many 5x5 codes that prosecutors said he was singularly responsible for global fluctuations in the price of Xbox gift cards on reseller markets. When prices dropped too low, he’d withhold his supply in the hope the drought would push the market upward. “This was an old-school crime with a high-tech MO,” says Michael Dion, the lead attorney in the government’s criminal case against Kvashuk.
At a moment of scrutiny for digital currencies, the fraud and ensuing investigation show how apparently meaningless jumbles such as DD9J9-MXXXC-3Y6XD-3QH2C-PWDWZ can hold real value—and also how prone they are to manipulation. As Kvashuk himself claimed to investigators, he couldn’t have done anything illegal because the digital currency he siphoned from Microsoft didn’t count as “real money.”
Kvashuk first arrived in the U.S. from Ukraine in 2015 to attend the wedding of his aunt Alla, who was marrying a dentist from Southern California. The U.S. si
de of his new extended family was charmed by his sturdy good looks and flawless English and how readily he took to SoCal life. The groom’s mother, Carole Lynn, recalls Kvashuk savoring the sun in Newport Beach and experiencing “the joy of trying surfing and putting on a wetsuit. It was like, ‘This is the American dream.’ ”
He was originally from Rivne Oblast, in the western part of the country. He’d studied computer science and economics at a top university where his mother and father taught. Friends remember him as a clever but average student. (A report card shows he received a C in finance and a D in risk management.) He loved drinking beers while playing Minesweeper and World of Warcraft games, boxed for fun, and rode a motorcycle. His Facebook photo featured him on his Yamaha, a Barbie doll strapped to the backseat, her arms outstretched to the sky.
In 2014, Kvashuk had joined the protests in Kyiv that culminated in the ousting of Ukraine’s Russian-backed president—one reason his family wanted him to stay in the U.S. after Alla’s wedding. His aunt and uncle put him up, he met with an immigration attorney to seek asylum, and he landed a software gig reviewing JavaScript code. He also started dating another Ukrainian expatriate, Diana Leonhard, who was prone to posting radiant selfies on Instagram with captions gushing about her sun-kissed life in the #USA.
Former college classmate Ivan Zvaryka, who kept in touch with Kvashuk over Skype, says culture shock was inevitable. “Coming from a post-Soviet country to a modern one like the U.S. or Canada might make you feel like you’re in a movie or computer game,” he says. “Losing connection with reality that much is really strange.” By the following summer, in August 2016, Kvashuk got a job as a software engineer at a company contracted with Microsoft to develop its online store. He moved to a 500-square-foot one-bedroom at the Norman Arms, an aging apartment complex in Seattle not far from the University of Washington. His rent was $1,300—or $150 more than his dad’s monthly salary lecturing in Ukraine.
In his spare time, Kvashuk and a fellow Washington-based entrepreneur named Lee Wang started a company, SearchDom.AI, which they pitched as “our automated solution for all your marketing problems.” In comical ads uploaded to YouTube, the duo loudly banged on a cowbell and drum set and yelled “SEARCHDOM!” (Reached by phone, Wang says he doesn’t remember anything about Kvashuk and hangs up.)
At Microsoft, Kvashuk struck the former senior engineer as cocky for such a low-level contractor. He seemed to revel in a competitive environment where his co-workers were vying to invent “the next big thing,” as Kvashuk phrased it later in court testimony. “I would need to use every neuron of my brain to be able to create something outstanding and be able to compete with all of those geniuses,” he testified. “It’s like in movie Matrix, you know, you get to select blue pill or red pill.”
It’s unclear exactly when Kvashuk stumbled on the gift card glitch in Microsoft’s security system (which the company says has since been closed). But at some point in 2017, around the time Microsoft recruited him for a full-time, $116,000-a-year engineering position, he gleaned that his team’s experimental accounts were programmed only to prevent the e-commerce site from shipping fake purchases of physical goods: PCs, tablets, keyboards, and so on. Microsoft simply didn’t intend for its digital-retail testers to order Xbox gift cards on the job. Kvashuk could have reported the vulnerability to his bosses, but he took the red pill instead.
Kvashuk and his co-workers usually switched between a couple of mock profiles they registered under aliases with the Microsoft store team, often with perfunctory usernames and security credentials because the accounts were fake and seemingly useless outside Redmond. To conceal his identity, though, Kvashuk figured out his colleagues’ passwords and used their test logins. (“VerySecret1” was one not very secret password.) He worked from his Seattle apartment that fall, masking his internet traffic by routing it through servers in Japan and Russia. After placing test orders, dozens of gift card codes immediately appeared, worth $2,000, then $4,200, and eventually a lot more. One of his first redemptions, likely to confirm that the pilfered gift cards actually held value and that his scam would actually work, was for a $164.99 download of Microsoft Office.
In January 2018, Kvashuk built a computer program, PurchaseFlow.CS, to speed things up. With a few clicks in the app, he could select a gift card denomination (30, 75, 100), the currency output (U.S. dollars, euros, British pounds), and the desired number of purchases. Prosecutors later said the program was “created for one purpose, and one purpose only: to automate embezzlement and allow fraud and theft on a massive scale.”
Gift cards have been around since at least the 1990s, serving as last-minute stocking stuffers and a sort of compromise gesture that gives the recipient some flexibility and somehow feels more thoughtful than straight cash. In many ways, though, they’re worse than cash, slowly losing their value over time. Merchants sometimes charge service fees on cards or simply require that they be used before an expiration date, after which the money evaporates. Because a significant percentage of customers also forget about their cards, billions of dollars of neglected gift balances languish unclaimed every year. This is why companies love them: Unredeemed cards are pure profit.
Gift cards, like Microsoft’s digital currency, can reduce price transparency, too. In the mid-2000s, the company’s original Xbox gift card system was denominated in virtual points rather than dollars, making their actual value bewildering. Walt Mossberg, then the Wall Street Journal’s tech columnist, wrote in a 2006 review that the “deceptive” system required 79 Xbox Live Points to buy a song for Microsoft’s Zune media player, even though those 79 points cost 99¢, a point-to-penny ratio that fluctuated depending on where and how many you prepurchased.
A former top Microsoft e-commerce manager familiar with the system says this opacity was intentional. “The marketing requirement was: Don’t make the points equal to currency. If it’s a penny a point, it’s too easy for customers to just do the math in their head,” this manager says. The idea seems to have been that if consumers couldn’t quite grok what points were worth, they were more likely to spend it like play money. To further boost spending, the company initially offered points only in bulk “lots” of at least $5, meaning you couldn’t download a song without having a bunch of points left over. The pricing system left Microsoft open to shrewd traders who started reselling Xbox points, which was one reason, according to a former product leader, that the company switched in 2013 to gift cards based on what they termed “currency stored value,” or CSV: a $20 Xbox gift card is now worth $20.
The Xbox currency was hugely successful. According to two sources familiar with the matter, Microsoft briefly considered outsourcing its gift cards to a third-party provider such as Visa Inc., but the business was too lucrative and the company didn’t want to give Visa a cut. The gift cards also served as a low-cost promotional tool: Microsoft occasionally gives them to gamers to generate goodwill and has to count the giveaway as a marketing expense only if the cards are redeemed, which, of course, they often aren’t. Most significantly, the former e-commerce manager notes, Microsoft incurs fewer transactions fees from gift card redemptions than it does when it processes a credit card.
By the time Kvashuk started his scam, the company’s virtual bank was facilitating hundreds of millions of dollars in transactions. Would anyone notice if some of it went missing? Rows and rows of 5x5 codes were filling up Excel spreadsheets thanks to his embezzlement app. (That $164.99 Office download proved worthwhile; a printed-out version of his Excel sheet full of codes would total 2,344 pages.) Kvashuk was finally ready to make a huge withdrawal.
Full article
Robbing the Xbox Vault: Inside a $10 Million Gift Card Fraud
A junior Microsoft engineer figured out a nearly perfect Bitcoin generation scheme in the ultimate virtual currency cheat.
www.bloomberg.com
