The Xbox gift card came with a string of 25 letters and numbers. The digits, known as a 5x5 code, were sent in an email, but they were no different from the numbers and letters etched onto the gift cards hanging off tall racks near the checkout aisle at CVS or Target, arrayed in a Rubik’s Cube of colors. These stores sell them on behalf of Apple, Applebee’s, Disney, Domino’s, and pretty much every other company you can think of, including Microsoft Corp., which markets its cards under the Xbox brand. The cards themselves, of course, are worthless, but each 5x5 code corresponds to a dollar amount. In this case the code, DD9J9-MXXXC-3Y6XD-3QH2C-PWDWZ, was worth $15 toward the purchase of anything that Microsoft sold online—video games, Office and Windows software, Lenovo laptops, Sonos speakers, and the like.
In this way, gift cards can be thought of as a sort of digital currency, not unlike Bitcoin. The comparison may seem silly, given that gift cards date to the bygone era of Blockbuster Video, but today there are online marketplaces where anyone can trade gift card codes for Bitcoin and then turn the spoils into cash. These markets inevitably attract speculators and, because trades can be conducted anonymously, scammers.
Volodymyr Kvashuk received the $15 code a few weeks before Christmas, in 2017, among a batch of 20 others worth $300 altogether. But the engineer, who went by Vova for short and was in his mid-20s, hadn’t paid for the Xbox gift cards himself, nor were they some early holiday present from relatives. Kvashuk had recently begun a full-time job at Microsoft’s headquarters in Redmond, Wash., testing the company’s e-commerce infrastructure.
His team’s focus was to simulate purchases on Microsoft’s online store, looking for glitches in the payments system. This meant making lots of pretend purchases in the store. If Kvashuk added a Dell PC to his shopping cart, he’d use a faux credit card Microsoft had provided, complete the transaction, and document any errors. The system knew the purchase was fake and wouldn’t deliver the device to his doorstep. At least that was what was supposed to happen.
Then Kvashuk found a bug that would change his life, a flaw so stupidly obvious that he couldn’t bring himself to report it to his managers. He noticed that whenever he tested purchases of gift cards, the Microsoft Store dispensed real 5x5 codes. It dawned on him: He could generate virtually unlimited codes, all for free. A former senior engineer on Kvashuk’s team—who, like other sources in this story, spoke on the condition of anonymity to avoid being publicly associated with the wrongdoing that followed—says this was the Halo-age equivalent of a frontier bank leaving its vault unlocked. “Sooner or later, someone’s going to try to get away with taking $20,” the ex-Microsoft employee says. “When they don’t get caught, they figure, ‘All I need is six guys to empty out the safe one night when no other employees are around.’ ”
Kvashuk started small, generating Xbox cards in increments from $10 to $100. But his haul quickly escalated. By the time federal agents caught up with him almost two years later, he had stolen more than 152,000 Xbox gift cards, worth $10.1 million, and was living off the proceeds in a seven-figure lakefront home with plans to buy a ski chalet, yacht, and seaplane. This past November, a judge sentenced him to nine years in prison.