A former Microsoft software engineer was arrested Tuesday and charged with mail fraud for allegedly stealing $ 10m in digital currency from his former employee, US prosecutors said today.
Volodymyr Kvashuk, a citizen of Ukraine residing in Ukraine. in Renton, Washington, initially worked for Microsoft as a contractor and was hired as an employee in August 2016, where he remained employed until he was dismissed in June 2018.
Kvashuk, according to the complaint of the prosecution [PDF] was presented at
The UST is the main commercial engine of Microsoft with the mission of bringing One Universal Store. The US federal district court UU In Seattle he was a member of Microsoft's Universal Store Team (UST), responsible for managing the company's e-commerce operations.
for all businesses at Microsoft, "explained Sam Guckenheimer, owner of the Azure DevOps product at Microsoft, in 2017." The UST covers everything Microsoft sells and everything that others sell through the com "19659002] As described in the complaint, UST members set up fictitious customer accounts with the Microsoft online store linked to the addresses of Specially created e-mails and tests Credit cards in production to make in-store purchases without generating a real charge Then team members make a white list of their test accounts to avoid security systems and risk mitigation from Microsoft.
& # 39; No safeguards & # 39;
But when designing its test system, Microsoft overlooked an important attack vector. "The test program was designed to block the delivery of physical goods ", explains the complaint." Microsoft did not anticipate that the testers would make digital currency test purchases ("Currency storage value" or "CSV") and, therefore, they were not implemented. preventive measures to avoid the delivery of CSV ".
Therefore, a tester could make trial purchases of Microsoft digital gift cards, obtaining a valid product key that could be redeemed to add value to a digital wallet associated with the buyer's account. The electronic funds credited could be used to buy digital or physical Microsoft products in your store.
Kvashuk allegedly purchased some Microsoft products on its own and also sold much of the currency (value of $ 10 million, claimed) to third parties, at a discount on face value.
GiftGhostBot frightens the cash of victims' gift cards with brute force attacks
The plan supposedly started in 2017 and intensified to the point that Kvashuk, with a salary Based on $ 116,000 per year, $ 162,000 was purchased at Tesla and $ 1.6m at his home in Renton, Washington.
Kvashuk, the complaint suggests, was undone by Microsoft's UST Fraud Investigation Strike Team (FIST), which observed a suspicious increase in the use of CSV to purchase subscriptions to Microsoft's Xbox game system in February 2018. researchers tracked the digital funds, which had been resold on two different websites, to two white-list test accounts.
From there, FIST We proceeded to track the accounts and transactions involved. With the help of the US Secret Service UU And the Internal Revenue Service, investigators concluded that Kvashuk had defrauded Microsoft, despite efforts to conceal his identity with false accounts and to hide transactions from the public blockchain using a Bitcoin merging service.
Provider records pointing to Kvashuk, the complaint states that the Microsoft online store uses a fingerprint identification form of the device called fuzzy device ID. It is claimed that the researchers linked a specific device identifier to the accounts associated with Kvashuk.
The authorities requested that Kvashuk be arrested, claiming that he could try to flee the country or obstruct justice. If convicted of mail fraud, the former Microsoft software engineer could face up to 20 years in prison and a $ 250,000 fine. ®
Balance consumerization and corporate control.