At first, Kvashuk bought an Office subscription and a couple of graphics cards. But when no one objected to those small purchases, he grew much bolder. In late 2017 and early 2018, he stole millions of dollars worth of Microsoft store credit and resold it online for bitcoin, which he then cashed out using Coinbase.US prosecutors say he netted at least $2.8 million, which he used to buy a $160,000 Tesla and a $1.6 million waterfront home (his proceeds were less than the value of the stolen credit because he had to sell at a steep discount).
Kvashuk made little effort to cover his tracks for his earliest purchases. But as his thefts got bigger, he took more precautions. He used test accounts that had been created by colleagues for later thefts. This was easy to do because the testers kept track of test account credentials in a shared online document. He used throwaway email addresses and began using a virtual private networking service.
Before cashing out the bitcoins, he sent them to a mixing service in an attempt to hide their origins. Kvashuk reported the bitcoin windfall to the IRS but claimed the bitcoins had been a gift from his father.
But the government's complaint included quite a bit of evidence linking Kvashuk to the crime.
He sometimes used the same VPN connection—and hence the same IP address—to access different accounts, allowing investigators to draw connections between his known accounts and those used for later thefts. Device fingerprinting techniques also provided circumstantial evidence linking Kvashuk to the larger heists.The feds also argued that the timing of Kvashuk's sudden bitcoin wealth was suspicious. "The value of the bitcoin deposits to Kvashuk's Coinbase account generally correlated with the value of the purchased and redeemed [Microsoft credit]," the government argued.
A jury found the government's arguments convincing and convicted Kvashuk on several counts in February."Stealing from your employer is bad enough, but stealing and making it appear that your colleagues are to blame widens the damage beyond dollars and cents," US attorney Brian Moran said in a press release. Kvashuk was convicted of "five counts of wire fraud, six counts of money laundering, two counts of aggravated identity theft, two counts of filing false tax returns, and one count each of mail fraud, access device fraud, and access to a protected computer in furtherance of fraud," the government wrote.
Kvashuk has been ordered to pay $8.3 million in restitution, though it seems unlikely he'll ever be able to do that. The government says he may be deported after serving his time in prison.
This story originally appeared on Ars Technica.
The attackers returned with a new BEC that took a different tack: instead of tricking targets into logging in to lookalike sites, and consequently divulging the passwords, the scam used emails that instructed the recipient to give what was purported to be a Microsoft app access to an Office 365 account.
- 📩 Want the latest on tech, science, and more? Sign up for our newsletters !
- “Wait, Sylvie’s dad plays?!” The joy of Fortnite parenting
- The unsinkable Maddie Stone, Google’s bug-hunting badass
- Prevagen made millions—as the FDA questioned its safety
- One woman’s high-touch bid to upend the sex-toy industry
- To mend a broken internet, create online parks
- 🎮 WIRED Games: Get the latest tips, reviews, and more
- ✨ Optimize your home life with our Gear team’s best picks, from robot vacuums to affordable mattresses to smart speakers