For over two years, a former Microsoft employee embezzled 10 million US dollars (equivalent to about 8.4 million euros). At the end of 2020, he was sentenced to prison – but how he did it could have been a script from a crime show.
Where did the money come from? The former Microsoft employee Volodymyr K. enriched himself according to a ruling of the US court in Washington for two years through a loophole in the Xbox payment system – specifically, with gift cards for the Xbox (via justice.gov).
Gift cards are small cards with a 25-digit code that can be redeemed for corresponding credit in the Microsoft Store. The cards are almost everywhere available in retail stores, such as supermarkets or gas stations.
The employee’s job was actually to simulate digital payments and identify errors. However, a glitch occurred that generated real codes for the gift cards. Instead of reporting the error, K. exploited it for himself. As a result, he was able to generate virtually unlimited codes – free for him, but redeemable by anyone.
Initially, K. is said to have generated smaller amounts between 10 and 100 US dollars, later then in larger quantities.
Servers overseas, custom software, and Bitcoin
This is how well organized he was: The US site Bloomberg revisits the case originally concluded in 2020 and provides insight into the background of the fraud (via Bloomberg.com). The employee apparently planned a (nearly) perfect crime:
- K. obtained login credentials from his colleagues to work with multiple accounts
- he routed his traffic through servers in Russia and Japan to avoid detection
- he automated the “test purchases” with a self-written program
- thus he could conveniently select the quantity of gift cards and the desired currency via app
- he resold the gift cards, sometimes for just 55% of the actual price
- he expanded his offerings with more and more currencies
- finally, he even exchanged the codes for cryptocurrency – a deal involving 300 codes was said to be completed for 1.98 Bitcoins (equivalent to 14,546 euros at that time).
It continued like this for quite some time. With the money, he bought himself a house on Lake Washington with a dock for around 1.4 million euros and a new Tesla Model S for then 137,440 euros.
What happened to him now? Over time, Microsoft caught onto him and began invalidating the stolen codes – which in turn brought K. complaints from his customers.
He is also said to have used the same Linux computer with an outdated version of Firefox as well as a version of MS Office registered to his startup company. Furthermore, he allegedly had graphics cards purchased with stolen codes delivered to an old address. With these metadata, he was said to have been caught.
Microsoft’s own fraud investigation team (“Fraud Investigation Strike Team,” or FIST) gradually uncovered the scheme. The team received assistance from specialists from Scotland Yard.
K.’s account was ultimately identified as the source of the purchases, and shortly thereafter he was arrested. In February 2020, a jury found him guilty in a US court and sentenced him to a prison term of 9 years, along with a restitution payment of approximately 7 million euros (via justice.gov).
During his trial, K. reportedly defended himself by saying that it was not “real money” – which did not resonate with the jury. After his prison sentence, he also faces deportation and expulsion to his home country, Ukraine. K. is not the first online fraudster to end up in jail. However, a case from China is even more bizarre:
Cheat providers bought a fleet of sports cars with the money, and must now go to jail
