A former Microsoft software program engineer was arrested on Tuesday and charged with mail fraud for allegedly trying to steal $10m in digital foreign money from his former employer, US prosecutors stated at this time.
Volodymyr Kvashuk, 25, a citizen of Ukraine residing in Renton, Washington, initially labored for Microsoft as a contractor and was employed as an worker in August 2016, the place he remained employed till he was dismissed in June 2018.
Kvashuk, in accordance with the prosecution’s complaint [PDF], filed in a US federal district courtroom in Seattle, was a member of Microsoft’s Common Retailer Workforce (UST), tasked with dealing with the corporate’s e-commerce operations.
The UST “is the primary industrial engine of Microsoft with the mission to convey One Common Retailer for all commerce at Microsoft,” explained Sam Guckenheimer, product proprietor for Azure DevOps at Microsoft, again in 2017. “The UST encompasses the whole lot Microsoft sells and the whole lot others promote by the corporate, shopper and industrial, digital and bodily, subscription and transaction, by way of all channels and storefronts.”
As described within the grievance, UST members arrange dummy buyer accounts with the Microsoft on-line retailer linked to specifically created e mail addresses and test-in-production bank cards for making retailer purchases with out producing an precise cost. Workforce members then whitelist their check accounts to bypass Microsoft’s safety and threat mitigation programs.
However in designing its testing system, Microsoft missed a major assault vector. “The testing program was designed to dam the supply of bodily items,” the grievance explains. “Microsoft didn’t anticipate testers would make check purchases of digital foreign money (“Foreign money Saved Worth” or “CSV”) and thus no safeguards have been put in place to forestall the supply of CSV.”
So a tester might make check purchases of Microsoft digital present playing cards, acquiring a sound product key that may very well be redeemed so as to add worth to a digital pockets related to the purchaser’s account. The digital funds credited might then be used to purchase digital or bodily Microsoft merchandise from its retailer.
Kvashuk, it’s alleged, purchased some Microsoft items himself and in addition offered a lot of the foreign money – $10m value, it is claimed – to third-parties, at a reduction to its face worth.
GiftGhostBot scares up victims’ gift-card money with brute-force assaults
The scheme supposedly started in 2017 and escalated to the purpose that Kvashuk, on a base wage of $116,000 per 12 months, purchased himself a $162,000 Tesla and $1.6m house in Renton, Washington.
Kvashuk, the grievance suggests, was undone by Microsoft’s UST Fraud Investigation Strike Workforce (FIST), which seen a suspicious enhance in using CSV to purchase subscriptions to Microsoft’s Xbox gaming system in February 2018. The investigators traced the digital funds, which had been resold on two completely different web sites, to 2 whitelisted check accounts.
From there, FIST proceeded to hint the accounts and transactions concerned. With the help of the US Secret Service and the Inside Income Service, investigators concluded that Kvashuk had defrauded Microsoft, regardless of efforts to hide his id with pretend accounts and to cover public blockchain transactions utilizing a Bitcoin mixing service.
Along with service supplier data that time to Kvashuk, the grievance notes that Microsoft’s on-line retailer makes use of a type of machine fingerprinting known as a Fuzzy System ID. Investigators, it is claimed, linked a selected machine identifier to accounts related to Kvashuk.
Authorities have requested that Kvashuk be detained, claiming that he might try and flee the nation or hinder justice. If convicted of mail fraud, the previous Microsoft software program engineer might face as a lot as 20 years in jail and a $250,000 advantageous. ®