The Regifter
TL;DRMicrosoft engineer Volodymyr Kashuk exploited a loophole in testing accounts to generate unlimited gift card codes, sold them for Bitcoin on Paxful, and was convicted, receiving a nine-year sentence.
The story of one man trying to make his fortune one Xbox gift card at a time.
Transcript
Machine-generated transcript; may contain errors.
Speaker 1: Do you
Speaker 2: Do I?
Speaker 1: Have any unused gift cards sitting in a drawer somewhere?
Speaker 2: Oh, absolutely. I think everybody has the little, you know, container tray in their junk door just full of ghosts of Christmas gift card past.
Speaker 1: What are we talking about here? Best Buy? Like, the chapter?
Speaker 2: Sport Chex, Home Depot, like, the local ramen shop we like. Like, you you name it. There's, like, a decent amount of cards there.
Speaker 1: Let's start this off by talking about how you can turn those gift cards into cold hard cash because it is very important to all of this. There's a bunch of websites on both the clear and dark web for turning gift cards into money.
Speaker 2: But the
Speaker 1: one that we're gonna talk about because it comes up most in the story is called Paxful. Paxful. Paxful describes itself as a peer to peer platform for buying and selling Bitcoin. But the interesting part is that you can buy Bitcoin from other users using, quote, 350 plus payment methods. And just shy of half of those payment methods are different kinds of gift cards. So if you've got a gift card to your favorite ramen shop on packsable.com, you can sell it to someone for Bitcoin. You got a gift card to Chili's, you can buy some crypto with it. Costco, Dell, Disney, IHOP, buy and sell crypto, which, if you were so inclined, you can then convert into currency wherever you live, kind of a gift card to cash pipeline. Most folks listening to the show have probably heard about, like, scams and grifts and social engineering hacks that end with the victim sending the scammer a gift card.
Speaker 2: Right.
Speaker 1: They're basically untraceable. They make a great medium for scams. They were kind of the medium before crypto. Right?
Speaker 2: Mhmm.
Speaker 1: Because once you've convinced someone that you are from the IRS, and the only way they can avoid a massive fine for back taxes is to send you $500 in gift cards to Applebee's right now, It's very easy to turn those gift cards back into cash using sites like Paxful. But those businesses, Adidas, Costco, Denny's, somewhere deep in the bowels of their, like, finance departments, there exists a database. A spreadsheet, essentially, of codes. Strings of typically 25, like numbers and letters, that correspond to some dollar value. There's a whole system for generating those codes. There's a system of accounts for testing them. And the codes aren't worth anything until someone takes it, turns around, and hands it back to the company and says, I've been told this is worth $20 of stuff. I'd like that stuff. The company checks the database, confirms that to be true, and lets that person walk out with sneakers or pancakes or in app purchases. But just for a second, let's think about a person who works at one of those companies in the department with the big database of codes who finds, like, hiding in that system a button that says make new gift card code. And they figure out a way to press that button
Speaker 3: anonymously and as many times as they want.
Speaker 1: Twenty years ago, that person had found a button to create, you know, infinite sneakers or pancakes or whatever, and they'd get caught really quickly because they're stealing from the one place that takes the currency they're stealing. But that was back then, before sites like Paxful. Today that person with a little bit of automation and account on Paxful and a crypto wallet has basically discovered a button that prints money. Generate the code, sell it for bitcoin, convert the coin to cash, buy a yacht. This is the story of Vladimir Kashuk, a former junior Microsoft engineer who found that button and kept pressing it until the bitter end. Here on
Speaker 3: hacked.
Speaker 1: I have I checked before we recorded. I have $75 to Best Buy, and I think, like, 4 doll some, like, change left on a chapter's gift card. And I think that's it. I think I've worked through the rest of them. Them. Wow. Good work. Yeah. Good work. I'm putting the time in, man.
Speaker 2: I think somebody else we need to give a shout out to is all of the hardworking scammer, Payback people, like Kid Boga on YouTube and Twitch and scammer Payback on YouTube. Yes. These people who literally have made a career just harassing the people that constantly harass us. Sure. I I know I know it's it's black it's cyber cyber deal and Black Friday season, and I've been considering changing cell phone plans, which I did do. And one of the big things I was looking for was the call confirmation. I don't know if you're aware of this. No. But, essentially, essentially, they have to confirm that they wanna call you. So so, like, all of those bogus auto dialer calls just get dead blocked.
Speaker 1: Oh, wow. And, Yeah. That's a great feature.
Speaker 2: Yeah. Sadly, like, the the thing is is, like, I've essentially stopped answering my telephone at this point. If I don't have your number in my phone, then I don't pick up because I just assume it's a scammer. Like, I get so many a day, which is not great for business or otherwise, but it's just you know? For my mental health, I just have to not pick up my phone 73 times a day to hear, you know, the CRA is busting you or the IRS is coming for you or Mhmm. Whatever it is.
Speaker 1: And it's always send us a pay card.
Speaker 2: Send us a, Android, Google Pay, please. Target gift cards. Great. So big ups to all the, all the scammer payback people out there, you know, doing one for the team.
Speaker 1: I do love those videos. Every so often, the algorithm just sort of, like, do you wanna watch a a person on the far end of a webcam freak out because they got hacked by the person they were trying to hack? I'm like, I do.
Speaker 2: I do. I do wanna watch that. Yeah. Same. I I enjoy watching those too.
Speaker 1: Load it up.
Speaker 2: So if you if you haven't managed to have the algorithm feed you one of these things yet, I highly recommend very funny youtube.com/kitboga, kitboga, or Twitch. I think he's on Twitch as well. You know, one of the best, I think. His his his harassment is next level. So
Speaker 1: One of the greatest to
Speaker 2: ever do it. Get the goat of scammer harassment. And I think I think he's actually famous in the scammer world at this point. Like, these people know who these people are and, like, they know when they're being played almost because he's so good at it, which is so funny.
Speaker 1: Do you think that scammers seek out this is a total detour. Do you think that people that do scams try and seek out the people that take on scammers on YouTube almost as like, like the Olympics of doing scams? Like, if I if I can get them.
Speaker 2: Maybe. Maybe. If I
Speaker 1: can pull pull the rug over, or is it do you just wanna be famous? Like, I just wanna be on a I wanna be on that stream. I wanna see if they can get me.
Speaker 2: I don't know. I never thought about that. Just like, would I be the goat of scammers to scam the goat of anti scammers? I guess I guess maybe you would. The highest profile target.
Speaker 1: The The only way you can know if you're the true heavyweight is to take on the heavyweight.
Speaker 2: That's right. That's right.
Speaker 1: So spoiler, we're talking about all this because this all goes horribly wrong for Volodymyr, which is the only way that you end up with all of the court documents necessary to really get what happened here.
Speaker 4: Very briefly, as the court recalls from from the briefs, the fraud alleged then alleged fraud happened between November 2017 and March 2018.
Speaker 1: That is audio from an appeals hearing for his case. Vladimir has been convicted. That video is his defense attorney kinda sitting on a Zoom call with the prosecution and some judges trying to make the case for his appeal, and it is not going well. Here is one of the judges.
Speaker 3: Let me add let me just say this. I'm sure you're a really good lawyer, but I'm sure that's not your best argument. What is your best argument?
Speaker 2: It's a clap pack. Just the the judicial form of a roast.
Speaker 1: Volodymyr is currently serving a nine year sentence for the events that we're about to discuss. But what he did and the way he navigated this weird system of non currency currencies that gift cards sort of sit in the middle of. It's just very interesting to me. And with the holiday season approaching, this being a story about gift cards, I think very relevant. Volodymyr Kashuk was born and raised in Rivni Oblast in Western Ukraine. Prior to coming to The US in 2015, just sort of a normal dude. Stays calm, science, economics at the university where his parents taught, got, you know, kinda average enough grades. Austin Carr's really good investigation to this for Bloomberg where I got a lot of my notes. Flags importantly that he did get a d in risk management, which feels prescient to everything that's about to occur.
Speaker 2: Appropriate.
Speaker 1: He comes to The States in 2015 for a wedding and immediately loves it, takes to the Southern California sun, decides to crash with his aunt and uncle, gets in touch with an immigration attorney, and manages to wrangle a job reviewing JavaScript for a small software firm. Waldemir had made his way into the American software industry. Kashuk's side hustle during this time when he first arrived is important for a couple reasons. First, it resulted in some of the only audio of him I was able to find, from some ads that he and his business partner made, and they are fantastic.
Speaker 3: Hi, world. This is Lee. In my previous life, I was totally not happy, man. This would be my tenth cup of coffee by the day because I was a marketer in search engine optimization, and my life suck.
Speaker 2: Is it a crypto company? It sounds like a crypto ad.
Speaker 1: It's not. Searchdom.ai, whose URL is actually currently available for sale, we should scoop it up, was a automated marketing something. I don't quite know what service they were providing, but it had to do with automated marketing. And in this ad, we get to hear just a little little bit of Kashuk.
Speaker 5: Haley, your life doesn't need to suck anymore. There is AI automation that can solve all your problems.
Speaker 6: Oh my god. Show me.
Speaker 1: There's no indication that this business had anything to do with what followed this business or his business partner. But the company doesn't go too well. Searchdom is not like the big unicorn I imagine they'd hoped it would be, and Kashuk decides to pursue new opportunities. But this company does come up later. In August 2016, he ends up at a company that handled basically one contract, development for the online store for a little company called Microsoft. Kashuk moves into an apartment in Seattle, works there for a while, and in 2017, he makes the transition from an external vendor to a full time engineering position inside of Microsoft, which is really when all of this boots up. Good job. Yeah. No. He made it there pretty quick. As part of his job, Kashuk had the ability to create these, testing accounts for the Microsoft Store. And there were a lot of limits put up around these testing accounts to make sure that nothing, you know, know, kinda dodgy happens with them. Basic idea is with one of these accounts in the store, you can go through an entire transaction to test every stage of it. You could buy pick a thing, place basically unlimited orders, go through the whole process right up until we've shipped this to you. But the catch was, it just wouldn't ship stuff to these testing accounts. So you could go through the process of ordering an Xbox. You can make sure it's possible to buy an Xbox, but at the end, they don't ship you an Xbox if you're using a testing account. Right. But during that first year, Kashuk makes a discovery. A product that this limit didn't apply to. A product you could basically order unlimited amounts of because there was no physical good to ship. Right. Just a code for the system to generate.
Speaker 2: I think I see where this is going.
Speaker 1: You found the button, man.
Speaker 2: I think that I think that's a, like, like, a ethical morality test that I I wonder if all of us took, how many of us would pass. Somebody gives you a button to just generate money. Can you can you restrain yourself? I think I could. I think you could, but I think a lot of people wouldn't.
Speaker 1: I like to think I could, but what's interesting about this is that there's still a little bit of friction. Like, he found the button, but the button, he's still pressing the button with his testing account. So he's found the button, but it's not immediately clear that he can press it without repercussions yet. We found this way to basically generate very real gift card codes. It was this loophole in the system. Microsoft just hadn't planned for these testing accounts to test purchase that specific thing. But if you went through the process of buying one with one of these test accounts, they would give you a working code. And to your question about the sort of, like, morality test here, Kashuk does not report this. Of course. The other important thing here, and I brought this up earlier, has to do with the testing accounts themselves. Theoretically, if he generates a bunch of these codes on his account, it's really, really easy to figure out who is doing this. So he's found the button, but he needs to find a way to press it using a bunch of these different accounts. Kashuk and his coworkers would regularly hop back and forth between mock profiles registered using aliases with the Microsoft Store team. These accounts weren't supposed to be disposable, but it was really easy to make new ones. They weren't supposed to be swappable with other employees, but folks pretty regularly did. And at some point, I'll unpack exactly how we did it later. Kashuk manages to find a second vulnerability that really makes this scam click the way it ends up clicking, and it was a way to access the login credentials of other Microsoft employees' testing accounts. So now he wasn't just relying on people being kind of sloppy with these accounts and giving them back and forth. He wasn't relying on his ability to register new ones. He figured out a way to get access to other employees' testing logins. And he starts amassing this database of these testing profiles. Kashuk is working from home that summer, and he starts building this this kind of pipeline. He's routing all his Internet traffic through Japan and Russia, and he's starting to place test orders using these different testing accounts for gift cards.
Speaker 2: I like to imagine at this point that this has become his, like, full time job. Like, he's just kinda sitting there barely doing his actual work, but just compiling the script and database of, like like, he's probably still being paid, but he's being paid to, like, hack the company that he works for.
Speaker 1: I think that's probably accurate. It's like he is a janitor hired to clean a building, and in the basement, he found a bunch of gold. And he's just spent the summer trying to figure out how to sneak it out of the building.
Speaker 2: Yeah.
Speaker 1: The process he builds immediately works. He's able to generate a $2,000 gift card anonymously. He does a test purchase, buys a copy of Microsoft Office for a $164, and everything goes off like gangbusters. Ironically, that first purchase he makes way early in this process before the millions of dollars that would come of a copy of Microsoft Office would also be the thing that led to his downfall. I
Speaker 2: was gonna say, let me guess that was the the needle in the haystack. They traced it all the way back to the first purchase and he registered it to himself.
Speaker 1: In January 2018, he decides to automate this process. He develops a computer program he named purchaseflow.cs. You punch in the denomination, you punch in the currency you want it in, you punch in the number of cards you want generated to those specs, and it would handle the whole thing. I think your theory that he is basically doing this as his full time job, seems pretty plausible to me at this point in the the story. If we look over at his listings on paxful.com where he was gonna end up selling these things, he operates under the username Grizzled Wolf. We could see how appealing he could make these gift cards for the people who he was then using to launder them into cash. Cash. Because they were free for him, he could sell them on this site at a massive discount. Sure. He was selling these things for like 55% off. He could generate them in any foreign currency. This was, as you flagged, probably his full time job at this point, so he was super fast to respond.
Speaker 2: He has, like, an online store where you can, like, choose your denomination thing and then pay 50¢ on the dollar and get a gift card for it. I could see how that would be an appealing product to make, but also it's theft.
Speaker 1: Oh, it's completely theft. And it is unclear whether or not all of his customers know that this is theft. You should be able to intuit that someone selling this many gift cards at this kind of a discount is probably not totally legit. But he had a pretty big spectrum of people buying from him, so it's not clear that everyone knew they were buying from someone who had stolen these things. One of the other big players in the Paxful ecosystem who are, our buddy Kashuk, aka Grizzled Wolf, was selling to was a user named Maku. Maku was a buyer seller, claimed to be based out of China, and he first reached out to Volodymyr with a message that read, I need euros 75. He ends up buying 300 gift cards from Grizzled Wolf, worth on the open market about $30,000 at the time. Grizzled Wolf sells them to him for 1.98 Bitcoin, which was then worth about 17 ks. So this is a really, really good deal for Macoo. They do this giant transaction anonymously at the time. You didn't require identification on Paxful back then. And then Kashuk just drops this giant copy paste of 25 digit codes, like, into their chat. That's the whole deal. Maku turns around, sells them off individually, classic bulk buying retail markup setup.
Speaker 2: It's like classic classic gift card arbitrage.
Speaker 1: In this first gift card arbitrage, arousing success. Grizzled Wolf and Maku kinda go into business together. They decide they're gonna increase the volume. They're gonna try and scale this thing up. All in over the course of this, Maku and one other user on Paxful made up the bulk of Vladimir's sales over the next year or so he's in business. He sold these two accounts alone, roughly $7,000,000 US and Microsoft gift cards over that time frame. Kashuk is amassing a fortune in Bitcoin throughout all this. He obviously has to find a way to launder it, ends up using a tumbler called Chipmixer. And in March of that year, Vladimir transfers $1,400,000 from a Coinbase account into a personal Wells Fargo checking account. He does another million bucks in April. He He tells his accountant the Bitcoins were a gift from his dad. And we're gonna talk about the ways that he spent that money a little bit later. But slowly, glitches are starting to emerge. He starts getting messages from folks saying that the codes they bought weren't working. Some early signs of trouble. Gets a message from a high schooler, username Alpsterbone, who bought a code and when it didn't work, immediately called up Microsoft's customer service line, where they tell him that the number he bought, the one Volodymyr had generated using the system, was reported as stolen. These are the first signs that maybe Microsoft is starting to figure somethings up. But Absorbone is not the only person to essentially narc on him to Microsoft. His number one customer, Maku, also calls up Microsoft after a giant batch of codes that Kashuk sold him turned out to be bad. Kashuk sends Maku a message that reads, quote, damn man, you should not have sent this request to Microsoft. Send them directly to me. If they start tracking you down, I am going to bail.
Speaker 2: I was gonna say that's always a a sign you're in business with somebody good.
Speaker 1: Yeah. Totally.
Speaker 2: I don't don't call the people that are responsible. Call me.
Speaker 1: Don't call the people that make the thing.
Speaker 2: If they track me down, I'm gonna run. You're like,
Speaker 1: You're gonna bail from this legitimate business you're operating? Yeah. They were tracking him down. In February 2018, Microsoft's, fist department, the fraud investigation strike team, noticed a massive spike in online purchases using gift cards. Because you could basically doubled the amount of codes that were typically being redeemed at any one time. He had totally messed up the curve. Wow. One person? One person had totally screwed this whole thing up.
Speaker 2: For a company the size of Microsoft? Apparently. Yeah. I would assume it was, like, a rounding error for Microsoft, but maybe not. They must that's good. It's good that the fist department exists so that they track that stuff.
Speaker 1: Strike team fist. At first, they designated as probably coming from a bad actor outside of the company. They thought someone was stealing from them from outside Microsoft. Yep. But they pretty quickly discovered that the call was coming from inside the house. This is an inside job, so they decide to bring in the big guns.
Speaker 2: Wait. Who who are the big guns?
Speaker 1: Oh, we're gonna get to the big guns. Oh. His discovery right after the break. Starting something new isn't just hard. It can be downright terrifying. You put a lot of work into a thing. You're not entirely sure it's gonna work out. You're taking a huge leap of faith. I've started a few things. Now I know I was right for believing in, you know, the idea, the product, despite all of those fears and hesitations. But boy, does it sure help when you have a partner like Shopify on your side. Shopify is the commerce platform behind millions of businesses around the world and 10% of all e commerce in The US. From household names like, well, hacked podcasts merch, to brands just getting started. You can get started with your own design studio with hundreds of ready to use templates. Shopify helps you build a beautiful online store that matches your brand style. Did I mention that that iconic purple shop pay button is used by millions of businesses around the world? I don't know why I wouldn't. I should. It's why Shopify has the best converting checkout on the planet. It also helps boost conversions, meaning less carts, sort of getting abandoned in the parking lot and more sales for you. It's time to turn those what ifs into sign up for your $1 per month trial at shopify.com/hacked. Go to shopify.com/hacked. One more time, that's shopify.com/hacked.
Speaker 6: No one goes to Hank's for spreadsheets. They go for a darn good pizza. Lately though, the shop's been quiet, so Hank decides to bring back the $1 slice. He asks Copilot in Microsoft Excel to look at his sales and costs and help him see if he can afford it. Copilot shows Hank where the money's going and which little extras make the dollar slice work. Now Hanks has a line out the door. Hank makes the pizza. CoPilot handles the spreadsheets. Learn more at m365copilot.com/work.
Speaker 7: You thought this was your run club era. Turns out, it was more of a thinking about run club era. The good news? Someone's marathon training is about to start. Sell your workout gear on Depop. Just snap a few photos, and we'll take care of the rest. They get their race day fit, and you get a payout for trying. Someone on Depop wants what you've got. Start selling now. Depop, where taste recognizes taste.
Speaker 8: You have one new message. Translating. Disney and Pixar's Hoppers is now available on Disney plus
Speaker 1: You could say that again.
Speaker 8: Critics are calling it Pixar's funniest movie ever and a wildly entertaining ride. Blizzard potato is certified fresh and verified hot.
Speaker 2: Now we party.
Speaker 9: This is incredible. Wow.
Speaker 10: I am clearing
Speaker 2: the rest of the day.
Speaker 8: Disney and Pixar's hoppers. Now available on Disney plus Rated PG.
Speaker 2: I love how I love how it it would be such a an obvious thing to think that somebody had figured out a way, like, a loophole in your online store to, like, do something. Like, it seems like it would be an external hack, but I guess the internal makes just as much sense. They'd have even more access.
Speaker 1: Yeah. It really depends how much trust you have in the system that you've built.
Speaker 2: Yeah. Yeah. Well, it's and it's, again, not knowing because I'm sure the system is quite comprehensive. It's probably pretty rare for one single person to know the entire system. So it would be, you know, some external exploit could easily be doing something similar. Like, I know that there's Mhmm. Trying to remember there was something recently that was like this that, there was an external way to essentially get something free on a purchase. Like, if you bought if you bought one but had looked at another one, it would auto buy that as well.
Speaker 1: Oh, interesting.
Speaker 2: Anyway
Speaker 1: It was clear that they had tried to put up some guardrails around these testing accounts. They probably weren't worried about them because, well, they're testing accounts. They can't actually complete transactions. They're not the first place you look when in an unrelated department, a bunch of gift cards seem to have been hacked. It's you don't immediately jump over to the testing accounts because, you know, they're just testing accounts. But the second you you make that connection, it becomes pretty clear. We've devised a system for generating unlimited purchases of physical goods that won't ship, but this is a product that is not shipped. It is generated.
Speaker 2: Yeah.
Speaker 1: It was only a matter of time until the big guns put two and two together. But before we get to him, it's the twilight days of Kashuk's Xbox heist lifestyle.
Speaker 2: How was he spending his money?
Speaker 3: As I recall, didn't he, had he purchased his his new home?
Speaker 4: That's correct. But he purchased the new home. I mean, he apparently,
Speaker 3: That's a giant red that's a giant red flag for the for the investigative officers.
Speaker 4: This is true. Thus, my comment on
Speaker 3: And and a Tesla.
Speaker 1: $1,675,000 on a house on Lake Washington.
Speaker 2: Okay.
Speaker 1: Real nice pad. Had a boat dock. Nice. Bought that in cash. Told the realtor again he made his fortune in Bitcoin.
Speaker 2: Of course.
Speaker 1: Goes out and gets the, gets that that clean red Tesla model s for a a clean $162,000.
Speaker 2: Nice.
Speaker 1: He's living the good life. But meanwhile, inside of Microsoft, March of that year, corporate investigators had traced some weird activity to two of the internal test accounts assigned to folks on the same team as Kashuk. Those two accounts alone had generated about $8,000,000 in codes that were for sale on Paxful. So the the fist team turns those accounts off. Then a couple days later, another one of those accounts from the same team is suddenly draining gift card codes out of the system. This new account cleans out another $1,600,000 in the twenty six hours it was live. The investigators call up the people who these testing accounts are assigned to, and they have earnestly no clue what is going on. Someone had clearly found a way to access these other people's accounts. Earlier in this whole hack, there was that moment when Vladimir figured out how to gain access to the accounts of some of his coworkers. Yep. And it's at this point that the investigators cracked how he was doing it. Microsoft used a program they named Fiddler. It was the system for filing bug reports, but it turned out buried deep inside it somewhere, there was a vulnerability in Fiddler for the testing accounts that were plugged into it. While we don't know the exact mechanism by which he did this, anyone with Fiddler access could theoretically work their way back to the login credentials of the other users on their team. Huge vulnerability inside of this piece of software. But suddenly, this investigation team has a sense that, okay, it's clearly someone on this same team that is using the login credentials of their peers.
Speaker 2: Sure. They've narrowed it down to, like, the 10 possible people.
Speaker 1: So the FIST team brings in a fifteen year forensic investigator at Microsoft, a guy named Andrew Cookson.
Speaker 2: The big guns.
Speaker 1: Big guns.
Speaker 2: I was gonna say, and it takes him twenty five minutes to realize that one of the team members has just bought a house next to Bill Gates on Lake Washington and is driving a brand new Tesla.
Speaker 1: The next part of the story is he goes digging through the data, but I like to think before he did that, he looked out the window at the parking lot and was like Yep. That car cost a $170,000. It's that guy.
Speaker 2: Yeah.
Speaker 1: Cookson and the team go digging through all the data. I have to think what ultimately happened here is that before Kashuk decided to scale this into a multimillion dollar operation, way back in 2017, he was just kinda sloppier. One of Kashuk's actual testing accounts, one that's actually tied to him, had used the same glitch he would go on to use for tens of millions of dollars in transactions to buy some gift cards illegitimately way back in 2017. That initial purchase is what gets him on the radar. The thing that really cinches it for Cookson that this is the guy is that someone had used some of those codes from the hacked testing accounts to order three NVIDIA graphics cards. Those graphics cards were shipped to a made up name in an imaginary unit that was importantly in the very real building where Kashuk lived. Kashuk gets a call from Microsoft asking him to come in. Andrew Cookson, the ex Scotland Yard computer crimes investigator, would like to have a word.
Speaker 2: Did he bail?
Speaker 1: He did not bail, weirdly. Go bag time. I would have thought it was if it was go bag time here. There's this weird thing that I noticed in stories about interrogations. It's kind of a pattern. And it's that folks who are confronted with wrongdoing will often admit to a much lesser version of the same thing they're being accused of. And I don't Sure. Really I kinda get why people do this, and I kinda don't. It's the, like, yes, officer. I have had a couple drinks, but only a few. Like, they confess ish. On May 18, Cashew gets brought in and interrogated and immediately confesses ish. He admits to generating sick those 600 codes, but he says he was just using them to download free movies that he watched watched with his girlfriend. He had them printed out, he scratched them out as he went, watching movies. But a multimillion dollar heist using this exact same system, he would never. Cookson asks him about the graphics cards purchased for Microsoft with these codes and, again, he kinda like waffles on it. Yes. I bought those graphics cards. They were for mining crypto. And, yes, I shipped them to that address, but a made up unit with a made up name, he doesn't he doesn't remember that part.
Speaker 2: Seems seems like it seems like seems like, yeah, seems like time to call your lawyer.
Speaker 1: Yeah. Volodymyr doesn't get there immediately. Four weeks later, Microsoft fires him. The thing that ultimately brings him down, though, is do you remember his startup from the start of the show, Search DOM?
Speaker 2: Yes.
Speaker 1: And you remember the first thing Kashuk bought with those codes, that that very first copy of Microsoft Office?
Speaker 2: He registered it to his company.
Speaker 1: Got brought down by search dumb man.
Speaker 2: Oh, my God. Lessons learned.
Speaker 1: Don't register your stolen software to your your new software company that you've just put an ad online with your face in it for. These are these are day one lessons here.
Speaker 2: So how do we how do we go from like, I can't believe it took him four weeks to fire him. But, like, how do we go from him being fired to him being fully blown out charged I assume they've realized this the scale of it it's
Speaker 1: about a year later 07/16/2019 and in the interim volodymyr has gotten a new job July 16, he does not show up to that new job because he is sitting on his couch as federal agents referred by Microsoft raid his house.
Speaker 2: Same house, I'm assuming? Same house?
Speaker 1: Same house. Same house.
Speaker 2: For now. Still still on Lake Washington? Yeah.
Speaker 1: For now. We're about to find out what his plans were, though. During this raid, the agents find USB drives full of stolen 25 digit codes. They find crypto wallet keys. They find notebooks with relevant bank account info information. And importantly, they find a piece of paper titled How I will manage my next 10,000,000. On that list, a $4,000,000 home in Maui, a $1,000,000 house in the mountains near a ski lift, that was a quote, as well as the final bullet point that reads, one yacht. Wow.
Speaker 2: I don't know if he's looked at the price of yachts, but 10,000,000 certainly not getting you a house in Maui, a house in Aspen, and a yacht.
Speaker 1: Yeah. And I know that you're picking up a yacht with change after buying two houses.
Speaker 2: Yeah. Like, even 10,000,000. I think you're in, like, starter yacht land. Yeah. That's I feel like yachts are for the yachts are for the, you know, the the real the the b billionaires.
Speaker 1: Which brings us all to the legal fallout of all this from that court case we've been kinda hearing clips from throughout. February 2020, Kashoo gets taken to trial for identity theft, money laundering, wire and mail fraud. His defense argument in this is awesome. They argued, in no particular order, that Vladimir was generating these codes actually as an act of promotion and service to his employer.
Speaker 2: Oh, yeah. Yeah. Yeah. Nice.
Speaker 1: They argued that Kashuk figured that the more free stuff Microsoft gave away, the more popular Microsoft would be. So Volodymyr thought he was helping by doing this. It's a bold argument. I'm not gonna lie.
Speaker 2: Sounds like he should have had get better lawyers at the top of that 10,000,000 list because I feel like that that argument is dead in the water.
Speaker 1: Yeah. I would argue that should have been on the how to spend the first $10,000,000 list.
Speaker 2: Yeah. Lawyers in all capitals.
Speaker 1: Lawyers. Get really good lawyers. Then they argued that the list of how he would spend the next 10,000,000 that they found in his house was just an aspirational mood board. They argued that him stealing his coworkers credentials through Fiddler was not actually identity theft because those accounts aren't a real form of ID, which is interesting. But the prosecution had enough forensic financial proof to charge him. They had traced the laundered crypto through to his bank account. They had him on that alone. But, ultimately, those codes that they found in his apartment, the 25 digit gift card codes
Speaker 2: Mhmm.
Speaker 1: That's really all the evidence they need because those codes prove that he had generate he had come up with this system for generating those codes. The judge and jury found him guilty on all counts. He will have to make restitutions of around $8,000,000, and he will likely be deported when his sentence ends in 2027.
Speaker 2: Every day, we're given access to confidential information and systems in our jobs. Sure. And he just chose to use his for himself. And, you know, he's sounds like he got part of what was rightly coming to him.
Speaker 1: Sure. Yeah. So many of these stories are about people having kind of an idea, and this feels a little more like a person making a discovery. Mhmm. They discover this button. They discover the ability to get other people's credentials. They sort of just discover this whole gift card to cash pipeline laid out in front of them, and then they just walk down that path they found. And it inevitably leads to the FIST team Andrew Cookson and nine years in prison once you've started walking down that path.
Speaker 2: I think it's I think it's really just about, you know, all of the things that he did that tied it back to himself. Like, did he really honestly think that he would never get caught?
Speaker 1: There's a lot of hubris. I won't lie.
Speaker 2: Yeah. It feels like if this like, I feel like if you're gonna do any kind of cybercrime, you should assume that as you know, if the x axis is time, you will converge to as you proceed down time, you will converge to being caught. Like, if he'd done one big bang and done made $2,000,000 and never touched it again Yeah. Maybe it would have disappeared if he'd never bought things for himself. You know? Obviously, that's Mhmm. A big no no. But but yeah. So, anyway, it just to me, it just seems like somebody who just maybe didn't have the thought to consider the fact that they definitely were gonna be caught sometime as as they Mhmm. If they kept going at it. And it seemed like to go get to the point where you know there's an active investigation, I'm assuming he probably knew. I'm sure they talked about it with their department. And to keep doing it, and then when you get the phone call to come in and have a conversation with the the big gun, you know, I I don't know.
Speaker 1: And it's especially that moment in the story when there's the two accounts he's been using and he generated, like, $7,000,000 worth of these codes through the two accounts. They shut down both of those accounts on the same day. Yeah. Every instinct in my body is telling me, oh my god. The walls are closing in. And instead, he boots up another account and immediately drains $1,600,000 worth of codes using the exact same process. That that is not the behavior of a person that is lying low because the spotlight is shining right next to them. That's a person who's just forging ahead.
Speaker 2: Yeah. Totally. And, like, the the thing is too is that if if they're at the point where they're closing those accounts down, they're probably monitoring gift card creation and marking them all as stolen anyways. Anyways. They're pretty much useless the second they get created. So, like, why would you I I don't understand the motivation there. Just greed? Sheer greed?
Speaker 1: In court, one of Kashuk's defense's many fascinating arguments was that none of this could be theft because gift cards have no intrinsic value. They're not currency. The prosecution, I think rightfully observed that for something that wasn't money, he sure had bought a house with it. But I guess I'll kind of wrap up with this idea, which is that, like, if you spend enough time reading about this, it does make you think about gift cards in a very weird way. Yeah. In their modern form, they're like a new invention. They sort of just popped up in the, like, late 1990s. They're not that old, even though they seem like they've been around in a drawer somewhere that whole like forever. Companies love gift cards. Depending where you live, they can expire. Changes to service fees means they can just basically lose value while they're sitting there. The difference between the value of the purchase and, the difference between the value and what you purchase often goes unspent. All of which means they're basically free money for the companies that issue them. They've sort of famously been used to reduce price transparency at different points in history. A little famous side story is in the mid two thousands, Microsoft's Xbox gift card system used a virtual point system rather than dollars, which made their actual value exceedingly difficult to keep track of.
Speaker 2: Yeah. Of
Speaker 1: course. Famous, like, tech drama where Walt Mossberg in 2006 calls Microsoft out saying that this point system they've engineered is it's not just kind of difficult. It's fully deceptive. Took, like, 79 Xbox live points to buy a song for your Zoom player, even though the 79 points cost 99¢, but that point to penny ratio ebbed based on where you lived. It was all just very intentionally confusing and borderline deceptive.
Speaker 2: And now being used in every virtual game currency ever made. Name me one game now that doesn't use some form of pointer internal currency that is Exactly.
Speaker 1: Probably programmatically deceptive. Exactly. So maybe the real social engineering hack here was gift cards all along. Maybe the the one argument Kashuk's defense never made was the one they should have, which is that this was really a Robin Hood type crime all along. He was taking from the rich Microsoft gift card department and giving himself a Tesla.
Speaker 2: What a Robin Hood story.
Speaker 1: It's a it's a classic Robin Hood story. Thank you to our new patrons on Patreon since the last episode. That's patreon.com/hackpodcast. A great way to support the show. Morgan Vega. Thank you. Jimmy. Thank you for editing your pledge. It means a lot. And Alex. Thank you very very much. That's patreon.com/hackedpodcast. A great way to support the show. Thank you so much for listening. Thank you for making to the end of another one, and we will catch you in the next one.
Speaker 11: Ryan Reynolds here from Mint Mobile. I don't know if you knew this, but anyone can get the same premium wireless for $15 a month plan that I've been enjoying. It's not just for celebrities, so do like I did and have one of your assistant's assistants switch you to Mint Mobile today. I'm told it's super easy to do at mintmobile.com/switch.
Speaker 9: Upfront payment of $45 for three month plan, equivalent to $15 per month required. Intro rate first three months only, then full price plan options available. Taxes and fees extra. Fee full terms at mintmobile.com.
Speaker 10: Athletic Brewing Company crafts award winning non alcoholic beers for those who want to be part of every round. With over 185 flavor awards. They're exceptional NA beers that fit your lifestyle and any social occasion. Summer's full of good times and athletic fits right in. Go to athleticbrewing.com to have brews delivered to your door or find them at a bar restaurant or store near you. Near beer, athletic brewing company fit for all times.
Speaker 11: Ryan Reynolds here from Mint Mobile. I don't know if you knew this, but anyone can get the same premium wireless for $15 a month plan that I've been enjoying. It's not just for celebrities, so do like I did and have one of your assistant's assistants switch you to Mint Mobile today. I'm told it's super easy to do at mintmobile.com/switch.
Speaker 9: Upfront front payment of $45 for three month plan, equivalent to $15 per month required. Intro rate first three months only, then full price plan options available. Taxes and fees extra. Fee full terms at mintmobile.com.