This is perhaps one of the strangest stories we've ever written, but it's an incredible narrative about how someone partook in a digital heist against Microsoft. It's an elaborate story about one man, the 25 digital digits used to redeem codes on the Microsoft Store, and how he managed to steal millions from the company with them.
The report comes from Bloomberg and tells the story of Volodymyr Kvashuk, an employee at Microsoft who worked to test the company’s e-commerce infrastructure. The job involved him making purchases using faux accounts to test the online payment systems for glitches and bugs. During his time in the role he was said to have noticed a glitch that was so glaringly obvious, he kept it from his superiors.
The bug in question saw him receiving useable 25-digit codes every time he did a fake transaction for Microsoft Store cards - commonly used on the Xbox store. Having tested thousands of these transactions, Kvashuk was able to rake in millions' worth of the digital currency and didn't tell a soul.
"Kvashuk found a bug that would change his life, a flaw so stupidly obvious that he couldn’t bring himself to report it to his managers. He noticed that whenever he tested purchases of gift cards, the Microsoft Store dispensed real 5x5 codes. It dawned on him: He could generate virtually unlimited codes, all for free."
With this in mind, he took to a site known for selling digital codes, where he would sell these codes at a discounted rate of up to 55% off. With the huge increase in cheap codes flooding the market, he would often find that their value decreased, so would artificially draw up demand by withholding the codes. It wasn't until certain codes began to fail and customers took to Microsoft support that Kvashuk's luck started to change. But even without that, Microsoft was already out there looking for him.
"Microsoft was already on the hunt. In February 2018, the company’s Fraud Investigation Strike Team noticed an inexplicable spike in online purchases using gift card codes that was about double normal redemption levels. Microsoft’s fraud team theorized that the hack came from an 'external bad actor,' according to an internal report, but soon realized it was an inside job."
Eventually, Kvashuk was found and fired, leaving him to live his life in the house he paid for using the money he stole, along with his wife. Unfortunately for him, federal agents were also investigating the matter after Microsoft referred the case to them. He was later sentenced to 9 years in prison and most likely faces deportment back to Ukraine once he is released.
The lesson here is if you find a loophole, don't exploit it. It's not worth it and Kvashuk learned that the hard way. Despite getting away with it for years, in the end, it's ultimately cost him a lot. Still, it's fascinating to see how far one man got through such a simple crafty loophole. The full report is an extremely interesting read, so be sure to check it out.
What do you think of Volodymyr Kvashuk's exploits? Drop us a comment and let us know.