ROBBING THE XBOX VAULT: INSIDE A $10 MILLION GIFT CARD CHEAT

The Xbox gift card came with a string of 25 letters and numbers. The digits, known as a 5x5 code, were sent in an email, but they were no different from the numbers and letters etched onto the gift cards hanging off tall racks near the checkout aisle at CVS or Target, arrayed in a Rubik’s Cube of colors. These stores sell them on behalf of Apple, Applebee’s, Disney, Domino’s, and pretty much every other company you can think of, including Microsoft Corp., which markets its cards under the Xbox brand. The cards themselves, of course, are worthless, but each 5x5 code corresponds to a dollar amount. In this case the code, DD9J9-MXXXC-3Y6XD-3QH2C-PWDWZ, was worth $15 toward the purchase of anything that Microsoft sold online—video games, Office and Windows software, Lenovo laptops, Sonos speakers, and the like.

In this way, gift cards can be thought of as a sort of digital currency, not unlike Bitcoin. The comparison may seem silly, given that gift cards date to the bygone era of Blockbuster Video, but today there are online marketplaces where anyone can trade gift card codes for Bitcoin and then turn the spoils into cash. These markets inevitably attract speculators and, because trades can be conducted anonymously, scammers.

Volodymyr Kvashuk received the $15 code a few weeks before Christmas, in 2017, among a batch of 20 others worth $300 altogether. But the engineer, who went by Vova for short and was in his mid-20s, hadn’t paid for the Xbox gift cards himself, nor were they some early holiday present from relatives. Kvashuk had recently begun a full-time job at Microsoft’s headquarters in Redmond, Wash., testing the company’s e-commerce infrastructure.

His team’s focus was to simulate purchases on Microsoft’s online store, looking for glitches in the payments system. This meant making lots of pretend purchases in the store. If Kvashuk added a Dell PC to his shopping cart, he’d use a faux credit card Microsoft had provided, complete the transaction, and document any errors. The system knew the purchase was fake and wouldn’t deliver the device to his doorstep. At least that was what was supposed to happen.

Then Kvashuk found a bug that would change his life, a flaw so stupidly obvious that he couldn’t bring himself to report it to his managers. He noticed that whenever he tested purchases of gift cards, the Microsoft Store dispensed real 5x5 codes. It dawned on him: He could generate virtually unlimited codes, all for free. A former senior engineer on Kvashuk’s team—who, like other sources in this story, spoke on the condition of anonymity to avoid being publicly associated with the wrongdoing that followed—says this was the Halo-age equivalent of a frontier bank leaving its vault unlocked. “Sooner or later, someone’s going to try to get away with taking $20,” the ex-Microsoft employee says. “When they don’t get caught, they figure, ‘All I need is six guys to empty out the safe one night when no other employees are around.’ ”

Kvashuk started small, generating Xbox cards in increments from $10 to $100. But his haul quickly escalated. By the time federal agents caught up with him almost two years later, he had stolen more than 152,000 Xbox gift cards, worth $10.1 million, and was living off the proceeds in a seven-figure lakefront home with plans to buy a ski chalet, yacht, and seaplane. This past November, a judge sentenced him to nine years in prison.

The scale of Kvashuk’s scheme, reported here in depth for the first time based on a review of thousands of pages of court documents and interviews with current and former Microsoft employees, investigators involved with the case, and Kvashuk’s family and friends, reveal a playbook that included computer hacking, Bitcoin rackets, and gift card arbitrage. At one point, Kvashuk, who didn’t respond to repeated requests for comment, was flipping so many 5x5 codes that prosecutors said he was singularly responsible for global fluctuations in the price of Xbox gift cards on reseller markets. When prices dropped too low, he’d withhold his supply in the hope the drought would push the market upward. “This was an old-school crime with a high-tech MO,” says Michael Dion, the lead attorney in the government’s criminal case against Kvashuk.

At a moment of scrutiny for digital currencies, the fraud and ensuing investigation show how apparently meaningless jumbles such as DD9J9-MXXXC-3Y6XD-3QH2C-PWDWZ can hold real value—and also how prone they are to manipulation. As Kvashuk himself claimed to investigators, he couldn’t have done anything illegal because the digital currency he siphoned from Microsoft didn’t count as “real money.”

Kvashuk first arrived in the U.S. from Ukraine in 2015 to attend the wedding of his aunt Alla, who was marrying a dentist from Southern California. The U.S. side of his new extended family was charmed by his sturdy good looks and flawless English and how readily he took to SoCal life. The groom’s mother, Carole Lynn, recalls Kvashuk savoring the sun in Newport Beach and experiencing “the joy of trying surfing and putting on a wetsuit. It was like, ‘This is the American dream.’ ”

He was originally from Rivne Oblast, in the western part of the country. He’d studied computer science and economics at a top university where his mother and father taught. Friends remember him as a clever but average student. (A report card shows he received a C in finance and a D in risk management.) He loved drinking beers while playing Minesweeper and World of Warcraft games, boxed for fun, and rode a motorcycle. His Facebook photo featured him on his Yamaha, a Barbie doll strapped to the backseat, her arms outstretched to the sky.

In 2014, Kvashuk had joined the protests in Kyiv that culminated in the ousting of Ukraine’s Russian-backed president—one reason his family wanted him to stay in the U.S. after Alla’s wedding. His aunt and uncle put him up, he met with an immigration attorney to seek asylum, and he landed a software gig reviewing JavaScript code. He also started dating another Ukrainian expatriate, Diana Leonhard, who was prone to posting radiant selfies on Instagram with captions gushing about her sun-kissed life in the #USA.

Former college classmate Ivan Zvaryka, who kept in touch with Kvashuk over Skype, says culture shock was inevitable. “Coming from a post-Soviet country to a modern one like the U.S. or Canada might make you feel like you’re in a movie or computer game,” he says. “Losing connection with reality that much is really strange.” By the following summer, in August 2016, Kvashuk got a job as a software engineer at a company contracted with Microsoft to develop its online store. He moved to a 500-square-foot one-bedroom at the Norman Arms, an aging apartment complex in Seattle not far from the University of Washington. His rent was $1,300—or $150 more than his dad’s monthly salary lecturing in Ukraine.

In his spare time, Kvashuk and a fellow Washington-based entrepreneur named Lee Wang started a company, SearchDom.AI, which they pitched as “our automated solution for all your marketing problems.” In comical ads uploaded to YouTube, the duo loudly banged on a cowbell and drum set and yelled “SEARCHDOM!” (Reached by phone, Wang says he doesn’t remember anything about Kvashuk and hangs up.)

At Microsoft, Kvashuk struck the former senior engineer as cocky for such a low-level contractor. He seemed to revel in a competitive environment where his co-workers were vying to invent “the next big thing,” as Kvashuk phrased it later in court testimony. “I would need to use every neuron of my brain to be able to create something outstanding and be able to compete with all of those geniuses,” he testified. “It’s like in movie Matrix, you know, you get to select blue pill or red pill.”

It’s unclear exactly when Kvashuk stumbled on the gift card glitch in Microsoft’s security system (which the company says has since been closed). But at some point in 2017, around the time Microsoft recruited him for a full-time, $116,000-a-year engineering position, he gleaned that his team’s experimental accounts were programmed only to prevent the e-commerce site from shipping fake purchases of physical goods: PCs, tablets, keyboards, and so on. Microsoft simply didn’t intend for its digital-retail testers to order Xbox gift cards on the job. Kvashuk could have reported the vulnerability to his bosses, but he took the red pill instead.

Kvashuk and his co-workers usually switched between a couple of mock profiles they registered under aliases with the Microsoft store team, often with perfunctory usernames and security credentials because the accounts were fake and seemingly useless outside Redmond. To conceal his identity, though, Kvashuk figured out his colleagues’ passwords and used their test logins. (“VerySecret1” was one not very secret password.) He worked from his Seattle apartment that fall, masking his internet traffic by routing it through servers in Japan and Russia. After placing test orders, dozens of gift card codes immediately appeared, worth $2,000, then $4,200, and eventually a lot more. One of his first redemptions, likely to confirm that the pilfered gift cards actually held value and that his scam would actually work, was for a $164.99 download of Microsoft Office.

In January 2018, Kvashuk built a computer program, PurchaseFlow.CS, to speed things up. With a few clicks in the app, he could select a gift card denomination (30, 75, 100), the currency output (U.S. dollars, euros, British pounds), and the desired number of purchases. Prosecutors later said the program was “created for one purpose, and one purpose only: to automate embezzlement and allow fraud and theft on a massive scale.”

Gift cards have been around since at least the 1990s, serving as last-minute stocking stuffers and a sort of compromise gesture that gives the recipient some flexibility and somehow feels more thoughtful than straight cash. In many ways, though, they’re worse than cash, slowly losing their value over time. Merchants sometimes charge service fees on cards or simply require that they be used before an expiration date, after which the money evaporates. Because a significant percentage of customers also forget about their cards, billions of dollars of neglected gift balances languish unclaimed every year. This is why companies love them: Unredeemed cards are pure profit.

Gift cards, like Microsoft’s digital currency, can reduce price transparency, too. In the mid-2000s, the company’s original Xbox gift card system was denominated in virtual points rather than dollars, making their actual value bewildering. Walt Mossberg, then the Wall Street Journal’s tech columnist, wrote in a 2006 review that the “deceptive” system required 79 Xbox Live Points to buy a song for Microsoft’s Zune media player, even though those 79 points cost 99¢, a point-to-penny ratio that fluctuated depending on where and how many you prepurchased.

A former top Microsoft e-commerce manager familiar with the system says this opacity was intentional. “The marketing requirement was: Don’t make the points equal to currency. If it’s a penny a point, it’s too easy for customers to just do the math in their head,” this manager says. The idea seems to have been that if consumers couldn’t quite grok what points were worth, they were more likely to spend it like play money. To further boost spending, the company initially offered points only in bulk “lots” of at least $5, meaning you couldn’t download a song without having a bunch of points left over. The pricing system left Microsoft open to shrewd traders who started reselling Xbox points, which was one reason, according to a former product leader, that the company switched in 2013 to gift cards based on what they termed “currency stored value,” or CSV: a $20 Xbox gift card is now worth $20.

The Xbox currency was hugely successful. According to two sources familiar with the matter, Microsoft briefly considered outsourcing its gift cards to a third-party provider such as Visa Inc., but the business was too lucrative and the company didn’t want to give Visa a cut. The gift cards also served as a low-cost promotional tool: Microsoft occasionally gives them to gamers to generate goodwill and has to count the giveaway as a marketing expense only if the cards are redeemed, which, of course, they often aren’t. Most significantly, the former e-commerce manager notes, Microsoft incurs fewer transactions fees from gift card redemptions than it does when it processes a credit card.

By the time Kvashuk started his scam, the company’s virtual bank was facilitating hundreds of millions of dollars in transactions. Would anyone notice if some of it went missing? Rows and rows of 5x5 codes were filling up Excel spreadsheets thanks to his embezzlement app. (That $164.99 Office download proved worthwhile; a printed-out version of his Excel sheet full of codes would total 2,344 pages.) Kvashuk was finally ready to make a huge withdrawal.

The seller’s March 2018 listing was tantalizing: Xbox gift cards in denominations of $30, $50, and $75, for roughly 55% off. For overseas buyers the seller offered five more currencies, including Japanese yen and Australian dollars. “Looking for a trading partner,” the listing read, promising a response in 15 minutes or less. “We start trade, I give you code. If I’m online, it’s instant.”

Kvashuk was operating under the handle Grizzled Wolf on Paxful.com, a leading marketplace for trading gift cards for cryptocurrency, usually Bitcoin. The platform is popular with bulk buyers and sellers, who barter via chat message. Paxful holds the crypto in escrow until a trade is agreed upon. “Need EUR75,” wrote Makoo, a well-capitalized trader who claimed to be based in China and whose profile photo was of a smiling girl making the peace sign. Makoo ordered 300 Xbox cards from Grizzled Wolf, worth $27,848. At the time, Paxful didn’t require verifiable government IDs, allowing users to stay anonymous. Makoo couldn’t be reached for comment.

“Ok,” Grizzled Wolf replied four seconds later. He charged Makoo 1.98 Bitcoins, then worth $17,240. Next he copied and pasted reams of the stolen 5x5 codes into their chat, which, presumably, Makoo sold to other willing buyers at a markup.

Even after this substantial transaction, Kvashuk was eager to sell more. “We can increase volume,” he told Makoo. Bigger trades followed, with other aggressive traders, and many more Bitcoin payments poured into Kvashuk’s crypto wallets. Makoo and another Paxful user accounted for about $7 million in transactions of Microsoft gift cards.

It seems probable that this financing was part of some criminal operation—“Wait a moment, I contact the boss,” Makoo said at one point—but at least some of Kvashuk’s buyers were merely trying to get a deal on video game currency. When I contact a trader by the handle Avsterbone, who unwittingly purchased a few of Kvashuk’s stolen Xbox codes, it turns out he was a high school student at the time, not a MacBook mafioso. “A ton of my friends on the school bus played Xbox, so I would buy these codes from this dealer on Paxful at a steep discount, and then resell them to my friends, still at a great discount,” explains Avsterbone, aka Avi Rachlin, who is now 19 and studying business at Penn State University. “If I’m getting 50% off, they’re getting 25% off. Everyone’s winning—except, as we now know, Microsoft.” A Paxful spokesperson says Kvashuk was a “bad actor” and that the company cooperated with prosecutors. Paxful has since strengthened its compliance standards and improved its anti-money-laundering technology.

People transacting with Bitcoin can keep their identities anonymous, but the numbers corresponding to any transaction are tracked on a digital public ledger, known as the blockchain, creating a record for government authorities. Kvashuk attempted to avoid this by funneling some of his earnings through ChipMixer.com, which U.S. prosecutors later defined as an internet money laundering tool that acts as a “blender” to mix around Bitcoin with different crypto of the same value, “to obscure and conceal the original source” and “obliterate the blockchain trail.” (A ChipMixer spokesperson says the system is intended for privacy and that it’s “used by many individuals and some may be bad people.”) He then transferred the replacement Bitcoin into his account at Coinbase, the popular crypto trading app, where he sold it for cash. That March he deposited $1.4 million from Coinbase into his personal Wells Fargo & Co. checking account. Then an additional $935,000 in April. He told his accountant that the Bitcoin earnings were simply a gift from his father.

In between his day job at Microsoft and moonlighting as a thief, Kvashuk spent time lusting over the “House Styles That Americans Love” section of BobVila.com, according to internet traffic obtained by prosecutors. He bought a red Tesla Model S for $162,899 and then a modern $1.675 million house to match on Lake Washington with a boat dock. An agent involved in the latter transaction says Kvashuk said he made lots of money trading Bitcoin and that he only wanted to buy a waterfront home—in cash. (“I was like, ‘How old are you?!’ ” the agent recalls.) “Love you,” he emailed, along with a screenshot of the property deed, to Diana, who would soon be snapping her sunny Instagram selfies on the deck by the fire pit.

There were indications Kvashuk was stressed. Web search histories suggest he was trying to quit alcohol and looking into acquiring a Canadian visa. Business was still humming, but Kvashuk began running into trouble with his supply. For some odd reason, certain 5x5 codes were no longer working when buyers tried to redeem them online. Avsterbone, the high schooler, demanded a refund and cut off contact; he told Grizzled Wolf he’d phoned Microsoft’s customer service number and was warned that the gift cards had been reported stolen. Grizzled Wolf issued refunds, provided new gift cards to other customers, and blamed his “supplier” for any “dead” codes.

But the “shit mess,” as Kvashuk phrased it, wouldn’t go away. At certain points it freaked out Makoo, his largest client. After receiving a bunch of invalid codes, Makoo also contacted Microsoft, infuriating Grizzled Wolf. “Damn, man, you should not send this request to Microsoft. Send them to me,” Kvashuk wrote back, swearing. “If they will start tracking me down, I will just bail.”

As a matter of fact, Microsoft was already on the hunt. In February 2018, the company’s Fraud Investigation Strike Team (yes, FIST) noticed an inexplicable spike in online purchases using gift card codes that was about double normal redemption levels. Microsoft’s fraud team theorized that the hack came from an “external bad actor,” according to an internal report, but soon realized it was an inside job.

In March corporate investigators traced irregular activity to two internal test accounts assigned to employees on Microsoft’s store team. The accounts, they learned, had already gobbled up almost $8 million in codes that were selling on Paxful and other sites. They blacklisted the test accounts, only for a third account to begin buying codes a few days later. That account (password: $tore123) managed to steal $1.6 million more of Xbox gift cards within 26 hours before Microsoft blocked it, too.

Investigators questioned the employees behind those test accounts, who seemed like stunned victims, not perps, according to an April 17 report. Microsoft determined that a testing program called Fiddler, which employees used to file bug reports, contained data divulging tester logins. Anyone with Fiddler access could’ve hacked the accounts, suggesting that some other employee or contractor might be responsible. The FIST team turned to Andrew Cookson, who had handled forensic investigations into employee malfeasance at Microsoft for almost 15 years. A veteran detective of Scotland Yard’s computer crime unit, Cookson quickly zeroed in on a new suspect: Volodymyr Kvashuk.

After combing through CSV data, Microsoft found that one of Kvashuk’s official test accounts had bought some Xbox gift cards illegitimately in 2017. More suspiciously, Kvashuk was connected to another batch of stolen codes that had been used at Microsoft’s web store to buy three high-end GeForce graphics cards, manufactured by Nvidia Corp. The buyer had shipped them to “Grigor Shikor” at unit 309 of the Norman Arms in Seattle. Nobody by that name lived at the Norman Arms, and the highest unit number was 308. Kvashuk had lived in 101.

At 2:03 p.m. on May 18, Kvashuk found himself sitting across from Cookson as he clicked on his audio recorder in a conference room at Microsoft’s Redmond campus. “Obviously, what we’re trying to get to the bottom of is all of these other codes that you tell us that you’re not responsible for,” the detective said, according to a transcript of the meeting. When asked whether he used the test accounts to generate codes, Kvashuk vaguely admitted to redeeming about 600 of them, but only for buying movies to watch with his girlfriend at home. He and Diana kept a list of codes pinned next to the black Xbox console by their television and would cross them out as they downloaded films, he said. As for the Nvidia chips, he acknowledged that he used graphics cards for crypto mining but stressed that he neither remembered ordering them nor could account for why they were mailed to a “Grigor Shikor” at his previous residential address. “I’m lost here,” Kvashuk told Cookson.

Four weeks later, Microsoft fired Kvashuk. For a seemingly sophisticated engineer, he’d made a lot of newbie mistakes. Although he cloaked his internet usage through international servers, for example, he absentmindedly used the same Linux-based computer, with the same outdated version of the Firefox browser, to commit the theft, metadata that allowed Microsoft to connect him to the crime. Investigators even discovered that the Microsoft Office license he bought at the start of his scam was registered to an administrative account for SearchDom, his startup.

He and Diana continued living lavishly in their new house. They took boat rides around Mercer Island and went on vacations to Hawaii. A December 2018 Instagram photo shows Kvashuk holding a cocktail at Cliff Dive Bar near Maui, not long after landing another job at the digital division of the Sinclair Broadcast Group Inc., based near the Seattle Space Needle. A Sinclair co-worker at the time remembers Kvashuk as “warm” and “collaborative,” with a “very chill demeanor,” who seemed like any other tech dude. He never let on that he was rich; colleagues just assumed he came from money after he showed up to work in his red Tesla. On July 16, 2019, a friend Slacked him to get coffee, but his account was deactivated. Texts went unreturned. They never heard from him again.

That day, federal agents, who had conducted their own investigation into Kvashuk after Microsoft referred the case to them, raided his lakefront pad. Kvashuk sat on the couch, his legs crossed, as they searched the place, discovering a trove of incriminating evidence, such as crypto wallet keys, notebooks with bank account information, USB drives crammed with stolen 5x5 codes, and loads of cash, including more than $4,000 in Diana’s purse. (Reached on Instagram, Diana declined to answer questions for this article. Kvashuk “is the most kindness [sic] guy that I ever have known and always tried to help people,” she said.) The federal agents also found a list of Kvashuk’s future investments, written in Ukrainian on graph paper. The list revealed he was planning to buy, among other extravagances, a $4 million home in Maui, a $1 million house in “the mountains near ski lift,” as well as “1 yacht.”

The title of the list: “How I will manage my next 10 million.”

In February 2020, federal prosecutors from the Western District of Washington took Kvashuk to trial for money laundering, identity theft, and wire and mail fraud, as well as filing false tax returns. Finding thumb drives full of 5x5 codes at Kvashuk’s home was “the equivalent in a bank robbery case of finding bags of stolen cash in the defendant’s bedroom,” said Dion, the lead prosecutor. Microsoft had blacklisted many of the stolen gift cards before they were redeemed, rendering them worthless to resellers, and the IRS managed to trace laundered crypto funds. Still, the government noted in a court filing, Kvashuk took “steps to conceal the money trail from his crime. He could have millions hidden somewhere.”

Kvashuk’s attorneys argued that their client had no intention of defrauding anyone. He had generated the gift card codes to help the company because the more freebies Xbox gave away, the more popular the platform would be, increasing overall spending. So, his logic went, why not give away tens of thousands of free Xbox gift cards to test if that somehow boosted engagement and sales down the road?

It was all part of his “next big project,” inspired by the world-changing inventors he revered such as Henry Ford and Thomas Edison, Kvashuk testified. The handwritten note detailing how he’d spend his next $10 million was simply a motivational wish list. And pirating his co-workers’ passwords? Technically not identity theft, he said, because the test accounts were fake IDs.

The judge and jury found his defense ridiculous and declared him guilty on all counts. He’s likely to be deported back to Ukraine after serving time in prison until March 2027 and will have to make restitution of $8.3 million.

One of Kvashuk’s more inventive claims was that the gift cards weren’t “real” money and cost Microsoft nothing because they “didn’t generate any real transactions against the bank.” The argument didn’t fly in court, where Dion stressed that Kvashuk’s big house wasn’t purchased with “Monopoly money.” Microsoft, after all, was footing the bill.

It’s a crucial point. In an era when Xbox codes and Bitcoin feel like pretend virtual cash, Dion says some people buy and trade it like they’re “playing characters in Grand Theft Auto,” the hit video game. Kvashuk, he says, “just got carried away by his chance to become an instant millionaire.”

First published by Austin Carr on Bloomberg.com

//longform.flounder.online

/gemlog/