XPost: misc.legal.computing, wa.politics

arstechnica.com
Microsoft engineer gets nine years for stealing $10M from Microsoft
Timothy B. Lee - 11/10/2020, 1:00 PM

A former Microsoft software engineer from Ukraine has been sentenced
to nine years in prison for stealing more than $10 million in store
credit from Microsoft's online store. From 2016 to 2018, Volodymyr
Kvashuk worked for Microsoft as a tester, placing mock online orders
to make sure everything was working smoothly.

The software automatically prevented shipment of physical products to
testers like Kvashuk. But in a crucial oversight, it didn't block the
purchase of virtual gift cards. So the 26-year-old Kvashuk discovered
that he could use his test account to buy real store credit and then
use the credit to buy real products.

At first, Kvashuk bought an Office subscription and a couple of
graphics cards. But when no one objected to those small purchases, he
grew much bolder. In late 2017 and early 2018, he stole millions of
dollars worth of Microsoft store credit and resold it online for
bitcoin, which he then cashed out using Coinbase.

US prosecutors say he netted at least $2.8 million, which he used to
buy a $160,000 Tesla and a $1.6 million waterfront home (his proceeds
were less than the value of the stolen credit because he had to sell
at a steep discount).

Kvashuk made little effort to cover his tracks for his earliest
purchases. But as his thefts got bigger, he took more precautions. He
used test accounts that had been created by colleagues for later
thefts. This was easy to do because the testers kept track of test
account credentials in a shared online document. He used throwaway
email addresses and began using a virtual private networking service.

Before cashing out the bitcoins, he sent them to a mixing service in
an attempt to hide their origins. Kvashuk reported the bitcoin
windfall to the IRS but claimed the bitcoins had been a gift from his
father.
The government's case

But the government's complaint included quite a bit of evidence
linking Kvashuk to the crime.

He sometimes used the same VPN connection-and hence the same IP
address-to access different accounts, allowing investigators to draw connections between his known accounts and those used for later
thefts. Device fingerprinting techniques also provided circumstantial
evidence linking Kvashuk to the larger heists.

The feds also argued that the timing of Kvashuk's sudden bitcoin
wealth was suspicious. "The value of the bitcoin deposits to Kvashuk's
Coinbase account generally correlated with the value of the purchased
and redeemed [Microsoft credit]," the government argued.

A jury found the government's arguments convincing and convicted
Kvashuk on several counts in February.

"Stealing from your employer is bad enough, but stealing and making it
appear that your colleagues are to blame widens the damage beyond
dollars and cents," US attorney Brian Moran said in a press release.
Kvashuk was convicted of "five counts of wire fraud, six counts of
money laundering, two counts of aggravated identity theft, two counts
of filing false tax returns, and one count each of mail fraud, access
device fraud, and access to a protected computer in furtherance of
fraud," the government wrote.

Kvashuk has been ordered to pay $8.3 million in restitution, though it
seems unlikely he'll ever be able to do that. The government says he
may be deported after serving his time in prison.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)