An Engineer Gets 9 Years for Stealing $10M From Microsoft

The defendant tried—and failed—to use bitcoin to cover his tracks.
two men working outside of a Microsoft store with caution tape surrounding the perimeter
Photograph: KENA BETANCUR/Getty Images

A former Microsoft software engineer from Ukraine has been sentenced to nine years in prison for stealing more than $10 million in store credit from Microsoft's online store. From 2016 to 2018, Volodymyr Kvashuk worked for Microsoft as a tester, placing mock online orders to make sure everything was working smoothly.

The software automatically prevented shipment of physical products to testers like Kvashuk. But in a crucial oversight, it didn't block the purchase of virtual gift cards. So the 26-year-old Kvashuk discovered that he could use his test account to buy real store credit and then use the credit to buy real products.

At first, Kvashuk bought an Office subscription and a couple of graphics cards. But when no one objected to those small purchases, he grew much bolder. In late 2017 and early 2018, he stole millions of dollars worth of Microsoft store credit and resold it online for bitcoin, which he then cashed out using Coinbase.

US prosecutors say he netted at least $2.8 million, which he used to buy a $160,000 Tesla and a $1.6 million waterfront home (his proceeds were less than the value of the stolen credit because he had to sell at a steep discount).

Kvashuk made little effort to cover his tracks for his earliest purchases. But as his thefts got bigger, he took more precautions. He used test accounts that had been created by colleagues for later thefts. This was easy to do because the testers kept track of test account credentials in a shared online document. He used throwaway email addresses and began using a virtual private networking service.

Before cashing out the bitcoins, he sent them to a mixing service in an attempt to hide their origins. Kvashuk reported the bitcoin windfall to the IRS but claimed the bitcoins had been a gift from his father.

But the government's complaint included quite a bit of evidence linking Kvashuk to the crime.

He sometimes used the same VPN connection—and hence the same IP address—to access different accounts, allowing investigators to draw connections between his known accounts and those used for later thefts. Device fingerprinting techniques also provided circumstantial evidence linking Kvashuk to the larger heists.

The feds also argued that the timing of Kvashuk's sudden bitcoin wealth was suspicious. "The value of the bitcoin deposits to Kvashuk's Coinbase account generally correlated with the value of the purchased and redeemed [Microsoft credit]," the government argued.

A jury found the government's arguments convincing and convicted Kvashuk on several counts in February.

"Stealing from your employer is bad enough, but stealing and making it appear that your colleagues are to blame widens the damage beyond dollars and cents," US attorney Brian Moran said in a press release. Kvashuk was convicted of "five counts of wire fraud, six counts of money laundering, two counts of aggravated identity theft, two counts of filing false tax returns, and one count each of mail fraud, access device fraud, and access to a protected computer in furtherance of fraud," the government wrote.

Kvashuk has been ordered to pay $8.3 million in restitution, though it seems unlikely he'll ever be able to do that. The government says he may be deported after serving his time in prison.

This story originally appeared on Ars Technica.


More Great WIRED Stories