Former Microsoft Engineer Convicted of Insider Fraud

Fraud Management & Cybercrime

Used Admin Privileges to Steal $10 Million From Retail Platform

Former Microsoft Engineer Convicted of Insider Fraud

A former Microsoft software engineer was convicted this week on 18 federal criminal charges tied to stealing more than $10 million through the company’s online retail platform, according to the U.S. Department of Justice.

See Also: How to Defend Your Attack Surface

Voldymyr Kvashuk, a Ukrainian resident who first worked as a contractor and then as a full-time engineer at Microsoft from 2016 to 2018, was found guilty on five counts of wire fraud, six counts of money laundering, two counts of aggravated identity theft, two counts of filing false tax returns, and one count each of mail fraud, access device fraud and access to a protected computer in furtherance of fraud, according to the U.S. Attorney’s Office for the Western District of Washington, which oversaw the case. He faces up to 20 years in federal prison when he’s sentenced later this year.

Kvashuk was hired to test the software giant’s online retail platform. Eventually, he used his system administrator credentials and access to steal digital currency and gift cards, prosecutors say.

Over a seven-month period, Kvashuk stole more than $10 million through Microsoft’s retail platform and went on a shopping spree that included purchasing a $1.6 million lakefront home and a $160,000 Tesla, according to prosecutors.

Extensive Fraud

In his fraud scheme, Kvashuk used not only his own email testing accounts, but accounts belonging to other Microsoft employees, according to the Justice Department. This helped mask his theft of “currency stored value” within the platform, which included gift cards and digital currency.

At first, Kvashuk kept the thefts small, using his own accounts to steal about $12,000, according to federal prosecutors. Later, when he began using testing accounts belonging to other employees, Kvashuk began expanding his scheme.

Kvashuk also used a bitcoin “mixing” service to help hide the source of the income flowing into his bank accounts, according to the Justice Department. Over the seven-month period, about $2.8 million in bitcoin was transferred into Kvashuk’s accounts, federal prosecutors say.

Nearly 20 percent of all cybersecurity incidents, as well as 15 percent of data breaches, that happened in 2018 were the result of either an accidental misstep by an employee or malicious behavior by a current or former worker, according to the Verizon 2019 Data Breach Investigations Report. Malicious insider behavior has increased at least 50 percent since 2015, the report states.

Share this post

Share on facebook
Share on linkedin
Share on print
Share on email

Subscribe to our Monthly Cyber Security Digest

Get monthly content to keep you up to date on the latest news and tips