
Ex-Microsoft dev used test account to swipe $10M in store credits - prostoalex
https://www.theregister.co.uk/2019/07/17/exmicrosoft_engineer_arrested_fraud/
======
drawkbox
_Kvashuk, the complaint suggests, was undone by Microsoft 's UST Fraud
Investigation Strike Team (FIST), which noticed a suspicious increase in the
use of CSV to buy subscriptions to Microsoft's Xbox gaming system in February
2018. The investigators traced the digital funds, which had been resold on two
different websites, to two whitelisted test accounts._

 _From there, FIST proceeded to trace the accounts and transactions involved.
With the assistance of the US Secret Service and the Internal Revenue Service,
investigators concluded that Kvashuk had defrauded Microsoft, despite efforts
to conceal his identity with fake accounts and to hide public blockchain
transactions using a Bitcoin mixing service._

 _In addition to service provider records that point to Kvashuk, the complaint
notes that Microsoft 's online store uses a form of device fingerprinting
called a Fuzzy Device ID. Investigators, it's claimed, linked a specific
device identifier to accounts associated with Kvashuk._

Pretty involved dissection, went all the way down to digital fingerprinting to
catch it.

The thief was smart about the hiding it, but not smart enough, but he had to
know after $10m they would catch on. Reminds me of the McDonalds Monopoly game
that the extended family of one of the people that worked at the printing
place kept winning which was improbable, then expanded further where everyone
would give them a cut of the winnings up to $24m [1].

> _Jerome Jacobson and his network of mobsters, psychics, strip-club owners,
> and drug traffickers won almost every prize for 12 years, until the FBI
> launched Operation ‘Final Answer.’_

Take $10m or $24m from a large corporation, someone is going to notice.

[1] [https://www.thedailybeast.com/how-an-ex-cop-rigged-
mcdonalds...](https://www.thedailybeast.com/how-an-ex-cop-rigged-mcdonalds-
monopoly-game-and-stole-millions)

~~~
sametmax
There are two technical interesting take aways in this:

1 - Microsoft, and probably most big companies, have persistent tracking ID on
most stuff that are hard to get rid of and can be used to identify you and
devices linked to you in a fuzzy way. I mean, we know about super cookies,
fingerprinting and such, but it's another to hear it being used to track
somebody that was careful and using multiple anonymous accounts.

2 - BTC mixers will not protect you. Correlating one single wallet with you
will make it possible to them retrace the entire history.

~~~
buildzr
> BTC mixers will not protect you. Correlating one single wallet with you will
> make it possible to them retrace the entire history.

It's also possible they both knew the address which was paid out to buy the
stolen merchandise and they saw he had withdrawals from a bitcoin exchange in
bank records. Given these two facts, it's pretty easy to draw a line between
them even when mixers are used. But if you don't already know who to suspect
this is much harder to do.

~~~
pbhjpbhj
Hmm, that's not enough evidence to connect him -- he could be withdrawing
Bitcoin to cash for something entirely unrelated. Him cashing in Bitcoin is
circumstantial.

"I bought some bitcoin for cash a decade ago" explains cashing Bitcoin, so
what have you got left as evidence.

~~~
Tuna-Fish
Sorry, just scratching a pet peeve:

> Him cashing in Bitcoin is circumstantial.

Other than confessions, most convictions happen mostly on the basis of
circumstantial evidence. TV and movies have taught people that circumstantial
evidence is "weak" and insufficient to get a conviction. This is simply not
true. Sufficient amount of circumstantial evidence will put you in jail. The
job of the prosecutor is not to meet some specific pre-defined standard, it's
to convince the jury.

And if the prosecutor has just spent the last hour talking to the jury about
how they could track that x amount of stolen credits were sold for x bitcoin
at date y, and this bitcoin was then fed to a mixer, and that on those same
day or soon after you converted 0.95x BTC to $, and you could not positively
prove where that money came from, if your strategy was just:

> "I bought some bitcoin for cash a decade ago"

Good luck with that.

~~~
koheripbal
Not only that - circumstantial evidence is enough for a search warrant, and a
search warrant almost ALWAYS reveals additional evidence.

The point is that once the cops know who you are, you're fucked. Even if they
are using classified methods to ID you, they'll then find something
circumstantial to get warrants until they find you.

The only way to get away is to completely avoid detection in the first place.

------
astura
I think this is an example of "pigs get fat, hogs get slaughtered."

Edit: if someone looks at a jail sentence and a $250,000 fine and decides
stealing millions is still "worth it" even if you are caught, it's actually
not. Judges order restitution to the defrauded, even if you can't
realistically pay it. That means your assets will be seized (bye bye Tesla and
house) and you'll never be able to build wealth ever again because any of your
future wages will be garnished, forever, because you'll never be able to pay
back that debt, which will be the amount you stole plus interest plus legal
fees.

~~~
ev0lv
He will likely just go to Ukraine after he gets released.

------
martin_
> If convicted of mail fraud, the former Microsoft software engineer could
> face as much as 20 years in prison and a $250,000 fine.

It doesn't mention returning what he took... So he steals over 10m and buys a
1.6m house and can only be fined up to $250k? With 20 years in prison, and
let's say out in 10 years of good behavior wouldn't that raise his annual
income (which is taxed) from $116,000 to north of $1m?

~~~
ovi256
If they can find it, the government will seize it, don't worry. They even
double dip: they seize both the stolen goods and the money paid for them,
using the forfeiture doctrine unique to the US. Then, the payer has to prove
he was buying in good faith (which will be a steep hill to climb, given the
usual conspiracy between buyer and seller of stolen goods) in a separate
lawsuit against the government if he wants the money back.

~~~
candiodari
The worst of it is that money forfeited is NOT returned to the person it was
stolen from. This is one of those things that is so obvious everyone thinks
that this is what happens but in fact does not happen in many cases. The
police may themselves sell the recovered stolen goods instead of returning
them. You don't have any recourse.

So the only thing you can achieve by reporting a theft is that someone gets
subjected to the US justice system (assuming they do anything at all). It is
highly unlikely you get anything back. So you shouldn't do it to recover your
goods.

Furthermore, reporting anything to the police has extra consequences:

1) they will investigate, and may find something wrong with you

2) they may report it to other government organizations which may use it in
ways you did not anticipate and really don't want (e.g. child services: your
house was broken into and is "not livable")

3) just the association, or that the neighborhood sees police officers near/in
your house will spread and may have consequences.

There's nothing to gain from using the justice system and everything to lose.

~~~
wongarsu
That sounds incredibly broken and seems to remove all incentives from
reporting theft.

Given that a working justice system is what seperates capitalism from anarchy,
how is this allowed to happen in America?

~~~
Aeolun
I don’t know if you’ve recently taken a look at what else is allowed to happen
in America, but I think this is perfectly in line with the other insanity.

It’s interesting, since in daily life it seems almost normal.

------
mevile
I'm glad he was caught. Kudos to Microsoft's security team for their help
catching him. If he was arrested in July 2019 after being dismissed in 2018
after the investigation began, I wonder why he didn't run then?

~~~
londons_explore
Perhaps he was dismissed for some other unrelated reason?

Or perhaps he was very confident in hiding the fact he was behind the scam?
Ie. He might have just claimed someone else must have guessed his test account
credentials because the password was "1234".

------
anonymous5133
I've read the indictment and here are my comments on it:

1\. Stop using google and related services. They log all your data forever
(keyword searches). The FBI/governments are now going to google to get this
data to use for investigation purposes. This is probably the same for any
major internet company that records data (they all do). The only exception is
for companies that pride themselves in having a "no logging" policy...maybe
like duckduckgo.

2\. Your computer can be tracked by its device characteristics. This is almost
the same as your IP address or physical address to a certain extent. This was
a significant part of the prosecution's evidence. You can use a USB bootable
device like TAILs to potentially mitigate this risk.

3\. The guy filed tax returns for something like 50-150k/year in taxable
income. In certain years he had deposits into his bank account totaling $2.8
million.....I mean come on now...how do you think that's not going to raise a
red flag...at least for the IRS?

4\. BTC mixing services will not necessarily guarantee your privacy,
especially if you are using KYC exchanges. Even if you are not doing anything
illegal with your BTC...you'll still have to be able to explain where the
money came from. This guy was going to use the excuse that his father gave him
the BTC for free....and paid for all the BTC with cash.

5\. If you're doing anything shady, for the love of god don't use a bank. Also
if you are doing anything shady, don't use a KYC exchange. You're probably
just better off staying entirely in crypto or selling the crypto for physical
cash and just staying in cash.

My overall impression is for the amount this guy stole, he planned it out very
sloppily and made very little effort to EFFECTIVELY conceal his activity.

~~~
smogcutter
At this point, basically your plan needs to end with "and then move to a non-
extradition country" or you're fucked, sooner or later.

------
chiefalchemist
> "In addition to service provider records that point to Kvashuk, the
> complaint notes that Microsoft's online store uses a form of device
> fingerprinting called a Fuzzy Device ID. Investigators, it's claimed, linked
> a specific device identifier to accounts associated with Kvashuk."

1) I guess he wasn't aware of this ID'ing. That's odd.

2) Fake accnts aside, I'd presume he used a VPN as well as other means to
mitigate his trackability. But the FD ID can still work? Ouch.

3) If this is what MS can do, imagine what the NSA is dabbling in.

------
qaq
They always forget the last step move to a country with no extradition to US

~~~
koheripbal
How would he have convinced his wife and kids that that was necessary?

------
darkwater
TBH the article looks a bit sensationalist. The $10m _worth_ in CSV were sold
obviously at a lower price, so it couldn't possibly make him 10 million US
dollars; plus, they went through other black market resellers who I guess
would take their cut.

~~~
withinrafael
He net roughly 3 million USD dollars [1] after a bunch of resale activity, per
complaint (case 2:19-mj-00321-PLM).

[1]
[https://regmedia.co.uk/2019/07/17/us_v_kvashuk.pdf](https://regmedia.co.uk/2019/07/17/us_v_kvashuk.pdf)
page 25

~~~
newyankee
Won't the IRS find sudden jumps in balance ? He must have had to pay taxes on
this i guess. How else can he explain the source ?

~~~
pbhjpbhj
Bought Bitcoin and held it (offline wallet) for ~15 years?

~~~
newyankee
but then they will ask for blockchain transaction history to prove it ?

~~~
pbhjpbhj
If you washed it, surely you can't do that?

------
fareesh
When he buys the stored-value stuff off the store using his test account and
then the stored-value card is redeemed by like 100 other Xbox accounts, isn't
that all the evidence you need?

1) Sale Transaction of stored-value currency linked to Dev

2) Stored-value currency redeemed and deposited into accounts linked to
spaceninja888 on X-Box Live (100 other transactions like this)

Isn't this sufficient evidence to prove he stole the money? Even if he gave it
away for free, isn't it still fraud?

~~~
homero
It was A test account, it wasn't exactly linked to him.

~~~
techslave
it was directly and uniquely linked to him.

------
zerr
> initially worked for Microsoft as a contractor

How do you find such contract work? (at BigCo's I mean)

~~~
kiallmacinnes
Microsoft employs many contractors, we tend to call them "vendor staff"
internally. More often than not these people will come from external companies
who supply the staff, but they will be based on-site and embedded onto a team
for the duration of their contract.

Pretty sure I can't name any of our vendor companies, but you can take a guess
at some of the bigger ones I'm sure.

~~~
deaddrop
> _...we tend to call them "vendor staff" internally..._

There was a time when MSFT called them "dash trash". Good times. /s

~~~
Scuds
They still tend to get worked pretty hard, have no job security and don't get
paid anywhere near as well.

------
nobrains
"... despite efforts to conceal his identity ... to hide public blockchain
transactions using a Bitcoin mixing service."

Does someone have details on what he was trying to do here and why did he have
to use bitcoin mixing in the first place?

~~~
candiodari
I imagine that if you do this, you'd sell gift cards for store currency in
Bitcoin, and presumably also in cash. You'd probably want to avoid using bank
transactions.

------
rit
Supporting test credit cards in production with no fraud or risk assessment.

Do you want fraud? This is how you get fraud.

