Kvashuk, the complaint suggests, was undone by Microsoft's UST Fraud Investigation Strike Team (FIST), which noticed a suspicious increase in the use of CSV to buy subscriptions to Microsoft's Xbox gaming system in February 2018. The investigators traced the digital funds, which had been resold on two different websites, to two whitelisted test accounts.
From there, FIST proceeded to trace the accounts and transactions involved. With the assistance of the US Secret Service and the Internal Revenue Service, investigators concluded that Kvashuk had defrauded Microsoft, despite efforts to conceal his identity with fake accounts and to hide public blockchain transactions using a Bitcoin mixing service.
In addition to service provider records that point to Kvashuk, the complaint notes that Microsoft's online store uses a form of device fingerprinting called a Fuzzy Device ID. Investigators, it's claimed, linked a specific device identifier to accounts associated with Kvashuk.
Pretty involved dissection, went all the way down to digital fingerprinting to catch it.
The thief was smart about the hiding it, but not smart enough, but he had to know after $10m they would catch on. Reminds me of the McDonalds Monopoly game that the extended family of one of the people that worked at the printing place kept winning which was improbable, then expanded further where everyone would give them a cut of the winnings up to $24m [1].
> Jerome Jacobson and his network of mobsters, psychics, strip-club owners, and drug traffickers won almost every prize for 12 years, until the FBI launched Operation ‘Final Answer.’
Take $10m or $24m from a large corporation, someone is going to notice.
There are two technical interesting take aways in this:
1 - Microsoft, and probably most big companies, have persistent tracking ID on most stuff that are hard to get rid of and can be used to identify you and devices linked to you in a fuzzy way. I mean, we know about super cookies, fingerprinting and such, but it's another to hear it being used to track somebody that was careful and using multiple anonymous accounts.
2 - BTC mixers will not protect you. Correlating one single wallet with you will make it possible to them retrace the entire history.
> BTC mixers will not protect you. Correlating one single wallet with you will make it possible to them retrace the entire history.
It's also possible they both knew the address which was paid out to buy the stolen merchandise and they saw he had withdrawals from a bitcoin exchange in bank records. Given these two facts, it's pretty easy to draw a line between them even when mixers are used. But if you don't already know who to suspect this is much harder to do.
My guess is this was reverse engineered. Once they had identified which employees had access to this digital currency, they looked to see who had $10m or so more than expected, and worked from that person to the bitcoin account.
Driving a Tesla that costs significantly more than your take-home pay is... a suboptimal way to avoid being identified.
Hmm, that's not enough evidence to connect him -- he could be withdrawing Bitcoin to cash for something entirely unrelated. Him cashing in Bitcoin is circumstantial.
"I bought some bitcoin for cash a decade ago" explains cashing Bitcoin, so what have you got left as evidence.
Other than confessions, most convictions happen mostly on the basis of circumstantial evidence. TV and movies have taught people that circumstantial evidence is "weak" and insufficient to get a conviction. This is simply not true. Sufficient amount of circumstantial evidence will put you in jail. The job of the prosecutor is not to meet some specific pre-defined standard, it's to convince the jury.
And if the prosecutor has just spent the last hour talking to the jury about how they could track that x amount of stolen credits were sold for x bitcoin at date y, and this bitcoin was then fed to a mixer, and that on those same day or soon after you converted 0.95x BTC to $, and you could not positively prove where that money came from, if your strategy was just:
Not only that - circumstantial evidence is enough for a search warrant, and a search warrant almost ALWAYS reveals additional evidence.
The point is that once the cops know who you are, you're fucked. Even if they are using classified methods to ID you, they'll then find something circumstantial to get warrants until they find you.
The only way to get away is to completely avoid detection in the first place.
Sorry if it wasn't clear, I meant his addresses being visible on both the input and output of a mixing process but being discovered via separate means, one via tracing where the codes were sold, one via tracing his bank activity after investigating which account generated the codes.
It certainly could be enough to connect him, if they already know the fraudulent codes were generated from his account, and you can see the mixing process and that he was clearly an output of it, that means that he would have had to buy bitcoin from someone who used his account to generate those codes... that's not going to play well to any judge or jury.
That's really for a jury to decide. It's not circumstantial when they have his device finger printed doing nefarious things at other steps of the theft process for the same amounts of money that are coming out of a coin mixer.
Are coin mixers really that rudimentary, if they are why would you bother? It seems pretty easy to design a mixer that works, logically, so can noone muster the business backing (or is it legal issues?) to do that, not even in any country in the World?
I am yet to see a single mixer that would cryptographically prove that I am not participating in an FBI scheme to mix BTC in order for them to then know who mixed what in the first place.
Apparently this also breaks Moneros privacy by identifying a BTC address associated it (even without KYC). You need to buy Monero from LocalMonero if you want to be truly private.
I'm confused as to why Microsoft needed to use this tracking ID at all.
Wouldn't Microsoft be able to trace the digital currency to the whitelisted test account? I'm assuming there's some kind of approval process for whitelisting test accounts (or at least you have to be in the right permissions group), otherwise anyone (even non-QA) could make a test account that bypasses their security.
Tracing the bitcoin transactions might prove which account stole the money. But the device tracking helps prove which real person was controlling the account.
"he had to know after $10m they would catch on...Take $10m, someone is going to notice"
You don't know that for every person caught after taking $10m there aren't 5 who took $100m then stopped and got away with it. It's just pure speculation.
You don't know that for every person caught after taking $10m there aren't 5 who took $100m then stopped and got away with it. It's just pure speculation.
I'd assume a $100m hole in a company balance sheets when they get audited would make the news.
Punjab National Bank, a state-owned bank in India ~lost $1.4B, without knowing about it for more than a year.
~lost is somehwhat vague because all it involved was a Letter of Undertaking that was a "promise" by the bank to return that money. They did honor it, losing billions of dollars.
If they found it. Big company get so complex i don’t think that’s a given. It’s not like they’d be kissing $100m from a single bank account and just be like, that number is low.
this is why you have balance sheets. it would have been caught by the time the accountants needed to figure out total balances and payables and receivables.
Possibly, in the McDonald Monopoly scam eventually the mob got involved, so maybe some are able to get away with it somewhere.
But like in Office Space, when the account gets big enough it has to eventually be investigated and people aren't smart to run up a big amount but get greedy, whether they find the money or not who knows but someone will know.
Yes, it would be survivor bias, but usually publicly-traded companies have a fiduciary duty to report these types of theft, even if they don't know who committed them.
The explanation in the article is fairly well done. One thing I can't help but think whenever there are more involved processes for catching someone though, is that we'll never know if that was the actual method used. For a large enough case, they could utilize some other, more secretive method, and then parallel construct this (believable) one, with the benefit of already knowing the final answer.
Not something I'm saying _happened_ here, but certainly something I think everyone should keep in mind when they read these types of cases.
From a technical standpoint I wonder what the developer who is stealing is thinking.
I've worked lots of places with access to lots of things. I have technical know how and presumably so does he. Even if I was inclined to do something like this I know that many of my coworkers / people at the company ... are more than capable of tracking down most anything if given enough attention.
The first and best protection I could think of is simply the volume of what is stolen to keep from being noticed. Once noticed with sufficient motivation it's just a matter of time.
Reading between the lines, the article says they got away with it for months, and were only caught because they got greedy - to the tune of a luxury car and a mansion! This smells like a crime of opportunity; most crimes aren't throughly-planned, well-executed Hollywood-grade bank heists - or their digital equivalent, so there also isn't a thoroughly planned exit strategy to a non-extradition country, just a vague notion that something will happen, eventually. Possibly getting caught.
Using a bitcoin washing service and then sending the proceeds from the bitcoin transactions to your bank account is not exactly trying to conceal the activity.
I wonder if the FBI has an automated system for monitoring bitcoin addresses that are associated with investigations that went cold possibly years ago, and as such no longer have the active attention of any [human] agents. Probably, right? It seems like it would be a good idea anyway.
> Take $10m or $24m from a large corporation, someone is going to notice.
This is the problem with stealing "easy money." It's hard to stop, especially if you don't spend the first portion of money wisely.
It's why card skimmers always get caught, too, eventually. They can't just steal $100,000 and be done with it. That's barely enough for a fully loaded Tesla Model S. They have to keep on stealing, and after a few years of this, are you really going to go back to a 9-5 job paying you $30,000 or less a year for hard work?
So it's not really about criminals "being dumb" about continuing to steal the money, unless you define being dumb the moment they first did it. It's more about them feeling like they have no choice but to keep doing it.
> It's why card skimmers always get caught, too, eventually.
They don't always get caught.
> This is the problem with stealing "easy money." It's hard to stop, especially if you don't spend the first portion of money wisely.
This is very true. Easy money skews how you think. When I was into credit card fraud money became less meaningful. I could get almost anything I wanted for free using stolen cards.
That said, I also kept my activities below what I considered a safe threshold, volumes that would be less likely to cause a large investigation.
> This is the problem with stealing "easy money." It's hard to stop, especially if you don't spend the first portion of money wisely.
Plus there's a weird psychological effect in some people where they feel guilty and actually want to get caught. A few years ago I dropped my wallet somewhere, and someone picked it up and used the contactless cards a couple times. They caught him when, the next day, he was shouting and threatening people and generally acting obnoxious, and was arrested with my wallet (complete with my photo ID) still on him.
Why did the guy suddenly get himself arrested? Why didn't he at least get rid of the wallet first? Maybe there's no connection between the two, but people are complicated.
I doubt that this played a role, that's just a such personality type which predisposes a person for crime and trouble, or the "without brakes" behaviour
...and one of the things that plays into that "personality" type is how they feel about themselves. It's a very common pattern that when people are treated better than what they think they deserve, they feel uncomfortable, and subconsciously do something to sabotage things, so that things go back to the expected and familiar. (I'm preparing to adopt, and that's one of the things we're consistently warned to keep an eye out for: children from chaotic, abusive households doing things to provoke you and make you angry, so that you treat them the way they're used to being treated.)
People are complicated and it's difficult to find individual causes; and everyone responds to things differently. I'm not trying to say that everyone who commits crimes just has low self esteem. People have choices; and there are genetic and other environmental factors (exposure to lead being a big one). But it's quite certain that subconscious "I deserve to be punished" motives are a thing.
> Why did the guy suddenly get himself arrested? Why didn't he at least get rid of the wallet first? Maybe there's no connection between the two, but people are complicated.
Most likely, stealing your wallet was part of impulsive behavior. Your was not first wallet and him being threatening or obnoxious was not his first such time. Most low level criminals are like that.
The name for this in statistics is ergodicity. Nassim Taleb, an expert on this subject, as well as many other authors in risk management have established that even professionals in statistics fare very poorly in understanding ergodicity in real life.
Most people over-estimate the long term life of a million dollars in 2019.
Standard wisdom gives you the 4% rule.. i.e. you can spend 4% of a balance to have a principle last forever (Based on historic stock market data, no guarantee it will actually work in the future).
4% of a million is only 40k. Can you live on 40k a year? Yes, billions of people make less than or equal to 40k a year. However most software devs like this guy who was making over 100k a year would be "content" to retire on 40k a year.
He would need at least 3 million to live on the 120k a year ;)
I think this is an example of "pigs get fat, hogs get slaughtered."
Edit: if someone looks at a jail sentence and a $250,000 fine and decides stealing millions is still "worth it" even if you are caught, it's actually not. Judges order restitution to the defrauded, even if you can't realistically pay it. That means your assets will be seized (bye bye Tesla and house) and you'll never be able to build wealth ever again because any of your future wages will be garnished, forever, because you'll never be able to pay back that debt, which will be the amount you stole plus interest plus legal fees.
> If convicted of mail fraud, the former Microsoft software engineer could face as much as 20 years in prison and a $250,000 fine.
It doesn't mention returning what he took... So he steals over 10m and buys a 1.6m house and can only be fined up to $250k? With 20 years in prison, and let's say out in 10 years of good behavior wouldn't that raise his annual income (which is taxed) from $116,000 to north of $1m?
If they can find it, the government will seize it, don't worry. They even double dip: they seize both the stolen goods and the money paid for them, using the forfeiture doctrine unique to the US. Then, the payer has to prove he was buying in good faith (which will be a steep hill to climb, given the usual conspiracy between buyer and seller of stolen goods) in a separate lawsuit against the government if he wants the money back.
The worst of it is that money forfeited is NOT returned to the person it was stolen from. This is one of those things that is so obvious everyone thinks that this is what happens but in fact does not happen in many cases. The police may themselves sell the recovered stolen goods instead of returning them. You don't have any recourse.
So the only thing you can achieve by reporting a theft is that someone gets subjected to the US justice system (assuming they do anything at all). It is highly unlikely you get anything back. So you shouldn't do it to recover your goods.
Furthermore, reporting anything to the police has extra consequences:
1) they will investigate, and may find something wrong with you
2) they may report it to other government organizations which may use it in ways you did not anticipate and really don't want (e.g. child services: your house was broken into and is "not livable")
3) just the association, or that the neighborhood sees police officers near/in your house will spread and may have consequences.
There's nothing to gain from using the justice system and everything to lose.
While these things happen, it's an overly negative view. A citizen reporting a theft has a very low probability of a negative outcome from his interaction with the police.
>nothing to gain from using the justice system
Insurance may require the theft to be reported before they cover any claims.
> Insurance may require the theft to be reported before they cover any claims
Yes, that's the reason to report.
Another reason not to, if you don't have insurance: creepy cops being creepy at you. Story time:
Walking home with my then-housemate after dinner that involved drinking, we were mugged. Minor violence, lost our wallets.
I called the cops. They wanted to come the next day to do an interview, which I declined, pointing out they weren't going to try to find the wallets, so what's the point? At which point cop starts getting weird, first saying they need their statistics for better funding. I still decline, and he says "Well, we'll send someone anyway" and hangs up.
Sure enough, a cop shows up the next day. I tell him I don't need his services and he starts pressuring me for a report. At this point, I'm pissed and tell him to leave; he makes vague noises about maybe not responding to this block very quickly in the future; I barely manage not to say something really rude that most likely would have escalated things.
My policy now: if I'll probably die anyway, or if it involves enough money that I can't ignore it, I might call the cops. Otherwise I'll take my chances that inviting more shitty people to a shitshow will just turn it worse.
You are conflating two different things. Asset forfeiture for assets used in a crime and asset seizure of stolen assets. The former the government generally keeps as it has no rightful owner (eg a car purchased with drug proceeds) while the latter is dispersed among aggrieved parties as equitably as possible based on the amount recovered (Bernie Madoff; Mt Gox; David Brooks; etc).
> conflating two different things ... asset seizure of stolen assets
Yeah, seems like I was, in the general case of stolen assets, sorry. My example applies to the more limited case of sale of stolen assets to a buyer, where there's enough conspiracy between seller and buyer, and the buyer is an unpleasant career fence. It happens often enough: there's a specialized network of fences (dealers in stolen goods). Given the efforts the parties make to keep their operation covert, conspiracy is easy for the government to allege. And the civil forfeiture against the money used to buy the goods proceeds without a hitch. Yet the fence is not indicted.It happens at scale, you can be sure that false positives (honest citizens who happen to look bad) get burned too.
Except of course that if a car is purchased with drug proceeds the government will keep the car AND get the money back from the vendor if they can.
So if they actually manage to do that (obviously people don't generally commit crimes because they're swimming in money), then no, this is wrong information.
I don’t know if you’ve recently taken a look at what else is allowed to happen in America, but I think this is perfectly in line with the other insanity.
It’s interesting, since in daily life it seems almost normal.
The fact that people like the idea of revenge and getting back at their attackers? The fact that corruption is rarely a serious problem as long as a justice system functions relatively ok? Because some parts of America are chaotic hellholes?
the police was never about protecting the citizens. Its is about policing the citizens. The thieves are made an example of, to discourage general petty crimes. Big flashy crimes are sometimes worked on to make a show of force, and to keep up appearances.
Individuals will not get any protection from the police. Therefore, take your own protection into your own hands. Alarms, and strong doors and windows, good locks. Don't store too much valuables, and keep a security camera visible to deter would-be thieves. If you can, fire-arms are also needed. I know many here are against guns, but i do believe they have uses, and self-protection is one of them.
If you can prove your money is in there and can also prove that the money wasn't proceeds of a crime (selling illegal drugs, firearms, etc) then it's yours. I'm guessing very few people really wanted to tell the FBI who they were and what they were selling/buying on there.
No because in addition to the fine, which goes to the government, he'll be ordered to pay restitution to Microsoft for any money they are out as a result of his criminal actions - which would probably be the entire amount of money he stole and their legal fees at the minimum.
This. Also, as an attorney, I view all descriptions of possible sentences with extreme skepticism.
A hyperbolic explanation [1] so I don't have to retype something similar:
> Federal sentences are calculated using the United States Sentencing Guidelines. The guidelines are a very complex set of rules used to calculate a federal sentence based upon the crime charged, the circumstances of the case, and the criminal record of the defendant. Calculating a very simple sentence is like completing a very simple tax return under, say, 1040-EZ; a complex sentence is like completing a tax return for a troubled entity engaged in questionable tax practices. Or, for you old-school geeks, like creating a Runequest character for a friend who is an argumentative rules-lawyer. From the enactment of the guidelines in the 1980s until United States v. Booker in 2005, the guidelines were binding upon federal judges — they had to follow the guidelines unless there were grounds for a "departure," meaning the rare circumstance not contemplated by the guidelines. Guidelines-application litigation was time-consuming, tedious, and generally despised by trial and appellate judges. In 2005, the Supreme Court decided to construe the guidelines as mere recommendations which federal judges must consider, thus avoiding the Constitutional dilemma of the sentencing judge making findings of fact driving the sentence without a jury's input. Now, federal judges calculate and consider guidelines sentences, but make their own determination, taking into account the factors required by federal statute. Appellate courts review trial judges' sentences for "reasonableness," in which adherence to the guidelines is one factor. Sentences within the guidelines are presumed reasonable. Most federal judges tend to issue sentences close to the guidelines; some impose sentences below, but it's rarer to see one impose a sentence above.
These are federal charges in a federal court. There is no getting reduced sentences for good behavior in the federal system; that’s only for state courts. If he gets 20 years, he has to serve at least 16 by law.
I'm glad he was caught. Kudos to Microsoft's security team for their help catching him. If he was arrested in July 2019 after being dismissed in 2018 after the investigation began, I wonder why he didn't run then?
Perhaps he was dismissed for some other unrelated reason?
Or perhaps he was very confident in hiding the fact he was behind the scam? Ie. He might have just claimed someone else must have guessed his test account credentials because the password was "1234".
I've read the indictment and here are my comments on it:
1. Stop using google and related services. They log all your data forever (keyword searches). The FBI/governments are now going to google to get this data to use for investigation purposes. This is probably the same for any major internet company that records data (they all do). The only exception is for companies that pride themselves in having a "no logging" policy...maybe like duckduckgo.
2. Your computer can be tracked by its device characteristics. This is almost the same as your IP address or physical address to a certain extent. This was a significant part of the prosecution's evidence. You can use a USB bootable device like TAILs to potentially mitigate this risk.
3. The guy filed tax returns for something like 50-150k/year in taxable income. In certain years he had deposits into his bank account totaling $2.8 million.....I mean come on now...how do you think that's not going to raise a red flag...at least for the IRS?
4. BTC mixing services will not necessarily guarantee your privacy, especially if you are using KYC exchanges. Even if you are not doing anything illegal with your BTC...you'll still have to be able to explain where the money came from. This guy was going to use the excuse that his father gave him the BTC for free....and paid for all the BTC with cash.
5. If you're doing anything shady, for the love of god don't use a bank. Also if you are doing anything shady, don't use a KYC exchange. You're probably just better off staying entirely in crypto or selling the crypto for physical cash and just staying in cash.
My overall impression is for the amount this guy stole, he planned it out very sloppily and made very little effort to EFFECTIVELY conceal his activity.
> "In addition to service provider records that point to Kvashuk, the complaint notes that Microsoft's online store uses a form of device fingerprinting called a Fuzzy Device ID. Investigators, it's claimed, linked a specific device identifier to accounts associated with Kvashuk."
1) I guess he wasn't aware of this ID'ing. That's odd.
2) Fake accnts aside, I'd presume he used a VPN as well as other means to mitigate his trackability. But the FD ID can still work? Ouch.
3) If this is what MS can do, imagine what the NSA is dabbling in.
TBH the article looks a bit sensationalist. The $10m worth in CSV were sold obviously at a lower price, so it couldn't possibly make him 10 million US dollars; plus, they went through other black market resellers who I guess would take their cut.
When he buys the stored-value stuff off the store using his test account and then the stored-value card is redeemed by like 100 other Xbox accounts, isn't that all the evidence you need?
1) Sale Transaction of stored-value currency linked to Dev
2) Stored-value currency redeemed and deposited into accounts linked to spaceninja888 on X-Box Live (100 other transactions like this)
Isn't this sufficient evidence to prove he stole the money? Even if he gave it away for free, isn't it still fraud?
Microsoft employs many contractors, we tend to call them "vendor staff" internally. More often than not these people will come from external companies who supply the staff, but they will be based on-site and embedded onto a team for the duration of their contract.
Pretty sure I can't name any of our vendor companies, but you can take a guess at some of the bigger ones I'm sure.
It's a misnomer[0]. You usually find this work through vendor companies that actually hold the contracts with BigCo's. To the BigCo, you're a contractor but you're "technically" an FTE with the vendor company, who holds the actual contract (head count x duration) to work at the BigCo.
for the reader, not the writer. he/she obviously knows the word but a potential reader might not and he's just saving them the google search, my guess ¯\_(ツ)_/¯
I imagine that if you do this, you'd sell gift cards for store currency in Bitcoin, and presumably also in cash. You'd probably want to avoid using bank transactions.
Ukraine also doesn't give up its citizens, just like Russia. Ukrainian and Russian hackers are often caught in their holiday trips abroad, when they relax from their money stealing activities. But that's the point of luxury life - it's easier to live it in US than in Ukraine.
It is interesting that he decided to stick around in Washington after ripping off Microsoft. He bought a $1.6M house there, so he presumably liked the area, but it seems like one hell of a risk. Even if he kept coming to the US or had his banked funds seized, locating hard assets like the house in Ukraine would do quite a bit to improve his odds of a good outcome. Among other things, a potential $250k fine on a $10M theft doesn't sound like much, but it's got to be tough to pay off with your assets seized and your career prospects crippled. Having some seizure-proof goods in another country would have made that a lot more manageable.
Of course, the risk/reward on this sort of thing is usually crummy regardless, so maybe we shouldn't be surprised (much less disappointed) that the people involved tend to make some other risky choices.
Kvashuk, the complaint suggests, was undone by Microsoft's UST Fraud Investigation Strike Team (FIST), which noticed a suspicious increase in the use of CSV to buy subscriptions to Microsoft's Xbox gaming system in February 2018. The investigators traced the digital funds, which had been resold on two different websites, to two whitelisted test accounts.
From there, FIST proceeded to trace the accounts and transactions involved. With the assistance of the US Secret Service and the Internal Revenue Service, investigators concluded that Kvashuk had defrauded Microsoft, despite efforts to conceal his identity with fake accounts and to hide public blockchain transactions using a Bitcoin mixing service.
In addition to service provider records that point to Kvashuk, the complaint notes that Microsoft's online store uses a form of device fingerprinting called a Fuzzy Device ID. Investigators, it's claimed, linked a specific device identifier to accounts associated with Kvashuk.
Pretty involved dissection, went all the way down to digital fingerprinting to catch it.
The thief was smart about the hiding it, but not smart enough, but he had to know after $10m they would catch on. Reminds me of the McDonalds Monopoly game that the extended family of one of the people that worked at the printing place kept winning which was improbable, then expanded further where everyone would give them a cut of the winnings up to $24m [1].
> Jerome Jacobson and his network of mobsters, psychics, strip-club owners, and drug traffickers won almost every prize for 12 years, until the FBI launched Operation ‘Final Answer.’
Take $10m or $24m from a large corporation, someone is going to notice.
[1] https://www.thedailybeast.com/how-an-ex-cop-rigged-mcdonalds...
There are two technical interesting take aways in this:
1 - Microsoft, and probably most big companies, have persistent tracking ID on most stuff that are hard to get rid of and can be used to identify you and devices linked to you in a fuzzy way. I mean, we know about super cookies, fingerprinting and such, but it's another to hear it being used to track somebody that was careful and using multiple anonymous accounts.
2 - BTC mixers will not protect you. Correlating one single wallet with you will make it possible to them retrace the entire history.
> BTC mixers will not protect you. Correlating one single wallet with you will make it possible to them retrace the entire history.
It's also possible they both knew the address which was paid out to buy the stolen merchandise and they saw he had withdrawals from a bitcoin exchange in bank records. Given these two facts, it's pretty easy to draw a line between them even when mixers are used. But if you don't already know who to suspect this is much harder to do.
My guess is this was reverse engineered. Once they had identified which employees had access to this digital currency, they looked to see who had $10m or so more than expected, and worked from that person to the bitcoin account.
Driving a Tesla that costs significantly more than your take-home pay is... a suboptimal way to avoid being identified.
obligatory Superman III reference >> https://youtu.be/N7JBXGkBoFc?t=212
Hmm, that's not enough evidence to connect him -- he could be withdrawing Bitcoin to cash for something entirely unrelated. Him cashing in Bitcoin is circumstantial.
"I bought some bitcoin for cash a decade ago" explains cashing Bitcoin, so what have you got left as evidence.
Sorry, just scratching a pet peeve:
> Him cashing in Bitcoin is circumstantial.
Other than confessions, most convictions happen mostly on the basis of circumstantial evidence. TV and movies have taught people that circumstantial evidence is "weak" and insufficient to get a conviction. This is simply not true. Sufficient amount of circumstantial evidence will put you in jail. The job of the prosecutor is not to meet some specific pre-defined standard, it's to convince the jury.
And if the prosecutor has just spent the last hour talking to the jury about how they could track that x amount of stolen credits were sold for x bitcoin at date y, and this bitcoin was then fed to a mixer, and that on those same day or soon after you converted 0.95x BTC to $, and you could not positively prove where that money came from, if your strategy was just:
> "I bought some bitcoin for cash a decade ago"
Good luck with that.
Not only that - circumstantial evidence is enough for a search warrant, and a search warrant almost ALWAYS reveals additional evidence.
The point is that once the cops know who you are, you're fucked. Even if they are using classified methods to ID you, they'll then find something circumstantial to get warrants until they find you.
The only way to get away is to completely avoid detection in the first place.
Sorry if it wasn't clear, I meant his addresses being visible on both the input and output of a mixing process but being discovered via separate means, one via tracing where the codes were sold, one via tracing his bank activity after investigating which account generated the codes.
It certainly could be enough to connect him, if they already know the fraudulent codes were generated from his account, and you can see the mixing process and that he was clearly an output of it, that means that he would have had to buy bitcoin from someone who used his account to generate those codes... that's not going to play well to any judge or jury.
Except it's not... wallet history is public, with exact dates. If he bought it decade ago he should be able to prove it in couple of minutes.
That's really for a jury to decide. It's not circumstantial when they have his device finger printed doing nefarious things at other steps of the theft process for the same amounts of money that are coming out of a coin mixer.
Are coin mixers really that rudimentary, if they are why would you bother? It seems pretty easy to design a mixer that works, logically, so can noone muster the business backing (or is it legal issues?) to do that, not even in any country in the World?
I am yet to see a single mixer that would cryptographically prove that I am not participating in an FBI scheme to mix BTC in order for them to then know who mixed what in the first place.
As for 2, I would have thought one of the privacy coins could have been utilised:
Buy Monero with Biticoin -> Transfer Monero to another wallet -> Buy Bitcoin with Monero.
But I guess it isn't that easy.
Most exhanges ask for KYC, so the BTC wallet would still be attached to your ID.
You need to do that with individuals, which is much harder, especially for a high amount of money.
Not saying this is impossible, but it's no as simple as it used to be.
Apparently this also breaks Moneros privacy by identifying a BTC address associated it (even without KYC). You need to buy Monero from LocalMonero if you want to be truly private.
I'm confused as to why Microsoft needed to use this tracking ID at all.
Wouldn't Microsoft be able to trace the digital currency to the whitelisted test account? I'm assuming there's some kind of approval process for whitelisting test accounts (or at least you have to be in the right permissions group), otherwise anyone (even non-QA) could make a test account that bypasses their security.
Tracing the bitcoin transactions might prove which account stole the money. But the device tracking helps prove which real person was controlling the account.
> 2 - BTC mixers will not protect you. Correlating one single wallet with you will make it possible to them retrace the entire history.
Nothing new here. I thought transparent history was one of the main points of distributed ledgers. BTC was never meant to be anonymous
Well Microsoft has access to full hardware IDs on PC and Xbox.
"he had to know after $10m they would catch on...Take $10m, someone is going to notice"
You don't know that for every person caught after taking $10m there aren't 5 who took $100m then stopped and got away with it. It's just pure speculation.
You don't know that for every person caught after taking $10m there aren't 5 who took $100m then stopped and got away with it. It's just pure speculation.
I'd assume a $100m hole in a company balance sheets when they get audited would make the news.
But if you're really smart, you might get away with over $10MM (in 1978 dollars!) without the bank noticing for eight days -- when the FBI told them.
https://www.social-engineer.org/wiki/archives/Hackers/hacker...
https://en.m.wikipedia.org/wiki/Stanley_Mark_Rifkin
https://coolinterestingstuff.com/worlds-biggest-heists-stanl...
Punjab National Bank, a state-owned bank in India ~lost $1.4B, without knowing about it for more than a year.
~lost is somehwhat vague because all it involved was a Letter of Undertaking that was a "promise" by the bank to return that money. They did honor it, losing billions of dollars.
[0]: https://en.wikipedia.org/wiki/Punjab_National_Bank_Scam
[1]: https://economictimes.indiatimes.com/news/international/obam...
If they found it. Big company get so complex i don’t think that’s a given. It’s not like they’d be kissing $100m from a single bank account and just be like, that number is low.
this is why you have balance sheets. it would have been caught by the time the accountants needed to figure out total balances and payables and receivables.
Possibly, in the McDonald Monopoly scam eventually the mob got involved, so maybe some are able to get away with it somewhere.
But like in Office Space, when the account gets big enough it has to eventually be investigated and people aren't smart to run up a big amount but get greedy, whether they find the money or not who knows but someone will know.
Yes, it would be survivor bias, but usually publicly-traded companies have a fiduciary duty to report these types of theft, even if they don't know who committed them.
a recent example where the guy got away with nearly $40m over a number of years. internal billing scam https://www.justice.gov/usao-cdca/pr/ex-accounting-manager-c...
The explanation in the article is fairly well done. One thing I can't help but think whenever there are more involved processes for catching someone though, is that we'll never know if that was the actual method used. For a large enough case, they could utilize some other, more secretive method, and then parallel construct this (believable) one, with the benefit of already knowing the final answer.
Not something I'm saying _happened_ here, but certainly something I think everyone should keep in mind when they read these types of cases.
From a technical standpoint I wonder what the developer who is stealing is thinking.
I've worked lots of places with access to lots of things. I have technical know how and presumably so does he. Even if I was inclined to do something like this I know that many of my coworkers / people at the company ... are more than capable of tracking down most anything if given enough attention.
The first and best protection I could think of is simply the volume of what is stolen to keep from being noticed. Once noticed with sufficient motivation it's just a matter of time.
Reading between the lines, the article says they got away with it for months, and were only caught because they got greedy - to the tune of a luxury car and a mansion! This smells like a crime of opportunity; most crimes aren't throughly-planned, well-executed Hollywood-grade bank heists - or their digital equivalent, so there also isn't a thoroughly planned exit strategy to a non-extradition country, just a vague notion that something will happen, eventually. Possibly getting caught.
> most crimes aren't throughly-planned, well-executed Hollywood-grade bank heists
And this is why Crime and Punishment is an ageless masterpiece of literature.
There's lots of things that could impair his reasoning (drink, gambling, other emotional stress, illness), or it could be motivated by revenge, or ...
Using a bitcoin washing service and then sending the proceeds from the bitcoin transactions to your bank account is not exactly trying to conceal the activity.
Trying ineptly is still trying.
So then what is the play? Send it to someone else's bank account?
Monero laundering, or holding it for a while. Get too greedy and move too quickly, likely to stumble
> "or holding it for a while."
I wonder if the FBI has an automated system for monitoring bitcoin addresses that are associated with investigations that went cold possibly years ago, and as such no longer have the active attention of any [human] agents. Probably, right? It seems like it would be a good idea anyway.
Are there any reliable and trustworthy Monero exchanges that allow anonymity? Not even Coinbase supports Monero, and Kraken requires identification.
> Take $10m or $24m from a large corporation, someone is going to notice.
This is the problem with stealing "easy money." It's hard to stop, especially if you don't spend the first portion of money wisely.
It's why card skimmers always get caught, too, eventually. They can't just steal $100,000 and be done with it. That's barely enough for a fully loaded Tesla Model S. They have to keep on stealing, and after a few years of this, are you really going to go back to a 9-5 job paying you $30,000 or less a year for hard work?
So it's not really about criminals "being dumb" about continuing to steal the money, unless you define being dumb the moment they first did it. It's more about them feeling like they have no choice but to keep doing it.
> It's why card skimmers always get caught, too, eventually.
They don't always get caught.
> This is the problem with stealing "easy money." It's hard to stop, especially if you don't spend the first portion of money wisely.
This is very true. Easy money skews how you think. When I was into credit card fraud money became less meaningful. I could get almost anything I wanted for free using stolen cards.
That said, I also kept my activities below what I considered a safe threshold, volumes that would be less likely to cause a large investigation.
> This is the problem with stealing "easy money." It's hard to stop, especially if you don't spend the first portion of money wisely.
Plus there's a weird psychological effect in some people where they feel guilty and actually want to get caught. A few years ago I dropped my wallet somewhere, and someone picked it up and used the contactless cards a couple times. They caught him when, the next day, he was shouting and threatening people and generally acting obnoxious, and was arrested with my wallet (complete with my photo ID) still on him.
Why did the guy suddenly get himself arrested? Why didn't he at least get rid of the wallet first? Maybe there's no connection between the two, but people are complicated.
I doubt that this played a role, that's just a such personality type which predisposes a person for crime and trouble, or the "without brakes" behaviour
...and one of the things that plays into that "personality" type is how they feel about themselves. It's a very common pattern that when people are treated better than what they think they deserve, they feel uncomfortable, and subconsciously do something to sabotage things, so that things go back to the expected and familiar. (I'm preparing to adopt, and that's one of the things we're consistently warned to keep an eye out for: children from chaotic, abusive households doing things to provoke you and make you angry, so that you treat them the way they're used to being treated.)
People are complicated and it's difficult to find individual causes; and everyone responds to things differently. I'm not trying to say that everyone who commits crimes just has low self esteem. People have choices; and there are genetic and other environmental factors (exposure to lead being a big one). But it's quite certain that subconscious "I deserve to be punished" motives are a thing.
> Why did the guy suddenly get himself arrested? Why didn't he at least get rid of the wallet first? Maybe there's no connection between the two, but people are complicated.
Most likely, stealing your wallet was part of impulsive behavior. Your was not first wallet and him being threatening or obnoxious was not his first such time. Most low level criminals are like that.
No. Has nothing to do with psychology.
The name for this in statistics is ergodicity. Nassim Taleb, an expert on this subject, as well as many other authors in risk management have established that even professionals in statistics fare very poorly in understanding ergodicity in real life.
In short , its not psych, its human nature
> It's why card skimmers always get caught, too, eventually.
Given how much money actually is estimated to be skimmed and how few that actually get caught I doubt this.
The guy in the article here was making $116,000 per year.
>The thief was smart about the hiding it, but not smart enough
I am interested in knowing in what ways he could have never been caught? What did he miss?
He should have slowed down maybe.
Also got greedy - he could have had 1 million and live on the interest, but he had to keep going.
Most people over-estimate the long term life of a million dollars in 2019.
Standard wisdom gives you the 4% rule.. i.e. you can spend 4% of a balance to have a principle last forever (Based on historic stock market data, no guarantee it will actually work in the future).
4% of a million is only 40k. Can you live on 40k a year? Yes, billions of people make less than or equal to 40k a year. However most software devs like this guy who was making over 100k a year would be "content" to retire on 40k a year.
He would need at least 3 million to live on the 120k a year ;)
This is also handy napkin math for retirement.
More like handy napkin math to figure out that my retirement plan is going to involve me dying young.
That's no fun
he sold it for much cheaper value. 10m could have been sold for 1 or 2m
We only know about the times it is noticed.
I think this is an example of "pigs get fat, hogs get slaughtered."
Edit: if someone looks at a jail sentence and a $250,000 fine and decides stealing millions is still "worth it" even if you are caught, it's actually not. Judges order restitution to the defrauded, even if you can't realistically pay it. That means your assets will be seized (bye bye Tesla and house) and you'll never be able to build wealth ever again because any of your future wages will be garnished, forever, because you'll never be able to pay back that debt, which will be the amount you stole plus interest plus legal fees.
He will likely just go to Ukraine after he gets released.
> If convicted of mail fraud, the former Microsoft software engineer could face as much as 20 years in prison and a $250,000 fine.
It doesn't mention returning what he took... So he steals over 10m and buys a 1.6m house and can only be fined up to $250k? With 20 years in prison, and let's say out in 10 years of good behavior wouldn't that raise his annual income (which is taxed) from $116,000 to north of $1m?
If they can find it, the government will seize it, don't worry. They even double dip: they seize both the stolen goods and the money paid for them, using the forfeiture doctrine unique to the US. Then, the payer has to prove he was buying in good faith (which will be a steep hill to climb, given the usual conspiracy between buyer and seller of stolen goods) in a separate lawsuit against the government if he wants the money back.
The worst of it is that money forfeited is NOT returned to the person it was stolen from. This is one of those things that is so obvious everyone thinks that this is what happens but in fact does not happen in many cases. The police may themselves sell the recovered stolen goods instead of returning them. You don't have any recourse.
So the only thing you can achieve by reporting a theft is that someone gets subjected to the US justice system (assuming they do anything at all). It is highly unlikely you get anything back. So you shouldn't do it to recover your goods.
Furthermore, reporting anything to the police has extra consequences:
1) they will investigate, and may find something wrong with you
2) they may report it to other government organizations which may use it in ways you did not anticipate and really don't want (e.g. child services: your house was broken into and is "not livable")
3) just the association, or that the neighborhood sees police officers near/in your house will spread and may have consequences.
There's nothing to gain from using the justice system and everything to lose.
While these things happen, it's an overly negative view. A citizen reporting a theft has a very low probability of a negative outcome from his interaction with the police.
>nothing to gain from using the justice system
Insurance may require the theft to be reported before they cover any claims.
> Insurance may require the theft to be reported before they cover any claims
Yes, that's the reason to report.
Another reason not to, if you don't have insurance: creepy cops being creepy at you. Story time:
Walking home with my then-housemate after dinner that involved drinking, we were mugged. Minor violence, lost our wallets.
I called the cops. They wanted to come the next day to do an interview, which I declined, pointing out they weren't going to try to find the wallets, so what's the point? At which point cop starts getting weird, first saying they need their statistics for better funding. I still decline, and he says "Well, we'll send someone anyway" and hangs up.
Sure enough, a cop shows up the next day. I tell him I don't need his services and he starts pressuring me for a report. At this point, I'm pissed and tell him to leave; he makes vague noises about maybe not responding to this block very quickly in the future; I barely manage not to say something really rude that most likely would have escalated things.
My policy now: if I'll probably die anyway, or if it involves enough money that I can't ignore it, I might call the cops. Otherwise I'll take my chances that inviting more shitty people to a shitshow will just turn it worse.
FTP.
What people don't understand is that when you call the police, you have no control over the situation anymore, the police do.
If you can reasonable keep control (and that could be a simply having the ability to walk away) then do that instead of calling the police.
Once you call them, you're trusting that they won't turn on you, or take issue with you.
You are conflating two different things. Asset forfeiture for assets used in a crime and asset seizure of stolen assets. The former the government generally keeps as it has no rightful owner (eg a car purchased with drug proceeds) while the latter is dispersed among aggrieved parties as equitably as possible based on the amount recovered (Bernie Madoff; Mt Gox; David Brooks; etc).
> conflating two different things ... asset seizure of stolen assets
Yeah, seems like I was, in the general case of stolen assets, sorry. My example applies to the more limited case of sale of stolen assets to a buyer, where there's enough conspiracy between seller and buyer, and the buyer is an unpleasant career fence. It happens often enough: there's a specialized network of fences (dealers in stolen goods). Given the efforts the parties make to keep their operation covert, conspiracy is easy for the government to allege. And the civil forfeiture against the money used to buy the goods proceeds without a hitch. Yet the fence is not indicted.It happens at scale, you can be sure that false positives (honest citizens who happen to look bad) get burned too.
Except of course that if a car is purchased with drug proceeds the government will keep the car AND get the money back from the vendor if they can.
So if they actually manage to do that (obviously people don't generally commit crimes because they're swimming in money), then no, this is wrong information.
You have a source on the government going after a car dealership for funds from selling a car that was seized?
That sounds incredibly broken and seems to remove all incentives from reporting theft.
Given that a working justice system is what seperates capitalism from anarchy, how is this allowed to happen in America?
I don’t know if you’ve recently taken a look at what else is allowed to happen in America, but I think this is perfectly in line with the other insanity.
It’s interesting, since in daily life it seems almost normal.
The fact that people like the idea of revenge and getting back at their attackers? The fact that corruption is rarely a serious problem as long as a justice system functions relatively ok? Because some parts of America are chaotic hellholes?
the police was never about protecting the citizens. Its is about policing the citizens. The thieves are made an example of, to discourage general petty crimes. Big flashy crimes are sometimes worked on to make a show of force, and to keep up appearances.
Individuals will not get any protection from the police. Therefore, take your own protection into your own hands. Alarms, and strong doors and windows, good locks. Don't store too much valuables, and keep a security camera visible to deter would-be thieves. If you can, fire-arms are also needed. I know many here are against guns, but i do believe they have uses, and self-protection is one of them.
What if it is in a crypto wallet?
They can seize that too and then auction it off later. The FBI seized the SilkRoad's escrow account, 26k BTC.
Isn’t that all owned by people? How are they allowed to just take that (and likely from non-us residents as well)?
The relevant question is, who is going to stop them?
Just ask Kim DotCom about that. I mean, he sorta won extradition but the FBI did their best to ruin his life and we're pretty successful at that.
This is what it always boils down to. Right and wrong is irrelevant. Those with the biggest guns win.
... and those people are free to sue the Silk Road guy for the money they lost.
If you can prove your money is in there and can also prove that the money wasn't proceeds of a crime (selling illegal drugs, firearms, etc) then it's yours. I'm guessing very few people really wanted to tell the FBI who they were and what they were selling/buying on there.
how do you seize a brainwallet?
By cracking the weak crypto used to generate it
No because in addition to the fine, which goes to the government, he'll be ordered to pay restitution to Microsoft for any money they are out as a result of his criminal actions - which would probably be the entire amount of money he stole and their legal fees at the minimum.
Hopefully they can charge interest as well.
On the unpaid balance, yes.
https://www.uscourts.gov/services-forms/fees/post-judgement-...
Fines are punishment. Restitution/compensation is separate.
This. Also, as an attorney, I view all descriptions of possible sentences with extreme skepticism.
A hyperbolic explanation [1] so I don't have to retype something similar:
> Federal sentences are calculated using the United States Sentencing Guidelines. The guidelines are a very complex set of rules used to calculate a federal sentence based upon the crime charged, the circumstances of the case, and the criminal record of the defendant. Calculating a very simple sentence is like completing a very simple tax return under, say, 1040-EZ; a complex sentence is like completing a tax return for a troubled entity engaged in questionable tax practices. Or, for you old-school geeks, like creating a Runequest character for a friend who is an argumentative rules-lawyer. From the enactment of the guidelines in the 1980s until United States v. Booker in 2005, the guidelines were binding upon federal judges — they had to follow the guidelines unless there were grounds for a "departure," meaning the rare circumstance not contemplated by the guidelines. Guidelines-application litigation was time-consuming, tedious, and generally despised by trial and appellate judges. In 2005, the Supreme Court decided to construe the guidelines as mere recommendations which federal judges must consider, thus avoiding the Constitutional dilemma of the sentencing judge making findings of fact driving the sentence without a jury's input. Now, federal judges calculate and consider guidelines sentences, but make their own determination, taking into account the factors required by federal statute. Appellate courts review trial judges' sentences for "reasonableness," in which adherence to the guidelines is one factor. Sentences within the guidelines are presumed reasonable. Most federal judges tend to issue sentences close to the guidelines; some impose sentences below, but it's rarer to see one impose a sentence above.
[1] excerpted from the much longer and funnier https://www.popehat.com/2013/02/05/crime-whale-sushi-sentenc...
These are federal charges in a federal court. There is no getting reduced sentences for good behavior in the federal system; that’s only for state courts. If he gets 20 years, he has to serve at least 16 by law.
I'm not familiar with how your system works, but aren't these two statements contradictory?
>There is no getting reduced sentences for good behavior
>If he gets 20 years, he has to serve at least 16 by law.
I am assuming that the 4 year difference would be applied in the event of... Good behavior?
it's probably written into law as opposed to being a decision made by a panel/judge (just guessing).
parole?
Which, as far as I know, parole is generally granted on terms of good behavior.
He won’t get to keep it
I'm glad he was caught. Kudos to Microsoft's security team for their help catching him. If he was arrested in July 2019 after being dismissed in 2018 after the investigation began, I wonder why he didn't run then?
Perhaps he was dismissed for some other unrelated reason?
Or perhaps he was very confident in hiding the fact he was behind the scam? Ie. He might have just claimed someone else must have guessed his test account credentials because the password was "1234".
I wonder what % of people would real put a serious effort into running and staying hidden long term.
That's not a sure deal, and leaving the familiar for a life on the run / looking over your shoulder is a pretty big thing to consider.
I've read the indictment and here are my comments on it:
1. Stop using google and related services. They log all your data forever (keyword searches). The FBI/governments are now going to google to get this data to use for investigation purposes. This is probably the same for any major internet company that records data (they all do). The only exception is for companies that pride themselves in having a "no logging" policy...maybe like duckduckgo.
2. Your computer can be tracked by its device characteristics. This is almost the same as your IP address or physical address to a certain extent. This was a significant part of the prosecution's evidence. You can use a USB bootable device like TAILs to potentially mitigate this risk.
3. The guy filed tax returns for something like 50-150k/year in taxable income. In certain years he had deposits into his bank account totaling $2.8 million.....I mean come on now...how do you think that's not going to raise a red flag...at least for the IRS?
4. BTC mixing services will not necessarily guarantee your privacy, especially if you are using KYC exchanges. Even if you are not doing anything illegal with your BTC...you'll still have to be able to explain where the money came from. This guy was going to use the excuse that his father gave him the BTC for free....and paid for all the BTC with cash.
5. If you're doing anything shady, for the love of god don't use a bank. Also if you are doing anything shady, don't use a KYC exchange. You're probably just better off staying entirely in crypto or selling the crypto for physical cash and just staying in cash.
My overall impression is for the amount this guy stole, he planned it out very sloppily and made very little effort to EFFECTIVELY conceal his activity.
At this point, basically your plan needs to end with "and then move to a non-extradition country" or you're fucked, sooner or later.
> "In addition to service provider records that point to Kvashuk, the complaint notes that Microsoft's online store uses a form of device fingerprinting called a Fuzzy Device ID. Investigators, it's claimed, linked a specific device identifier to accounts associated with Kvashuk."
1) I guess he wasn't aware of this ID'ing. That's odd.
2) Fake accnts aside, I'd presume he used a VPN as well as other means to mitigate his trackability. But the FD ID can still work? Ouch.
3) If this is what MS can do, imagine what the NSA is dabbling in.
They always forget the last step move to a country with no extradition to US
How would he have convinced his wife and kids that that was necessary?
TBH the article looks a bit sensationalist. The $10m worth in CSV were sold obviously at a lower price, so it couldn't possibly make him 10 million US dollars; plus, they went through other black market resellers who I guess would take their cut.
He net roughly 3 million USD dollars [1] after a bunch of resale activity, per complaint (case 2:19-mj-00321-PLM).
[1] https://regmedia.co.uk/2019/07/17/us_v_kvashuk.pdf page 25
Won't the IRS find sudden jumps in balance ? He must have had to pay taxes on this i guess. How else can he explain the source ?
Page 25 of the complaint (see parent post) also details how he didn't report the new income to the IRS and filed false returns. (Ouch.)
Bought Bitcoin and held it (offline wallet) for ~15 years?
but then they will ask for blockchain transaction history to prove it ?
If you washed it, surely you can't do that?
When he buys the stored-value stuff off the store using his test account and then the stored-value card is redeemed by like 100 other Xbox accounts, isn't that all the evidence you need?
1) Sale Transaction of stored-value currency linked to Dev
2) Stored-value currency redeemed and deposited into accounts linked to spaceninja888 on X-Box Live (100 other transactions like this)
Isn't this sufficient evidence to prove he stole the money? Even if he gave it away for free, isn't it still fraud?
It was A test account, it wasn't exactly linked to him.
it was directly and uniquely linked to him.
did multiple users have access to it?
yes. that’s how they got him.
> initially worked for Microsoft as a contractor
How do you find such contract work? (at BigCo's I mean)
> How do you find such contract work? (at BigCo's I mean)
Become a half-human slave to one of large outstaffing companies with a proud yet faux label of "free contractor", for tax purposes.
Microsoft employs many contractors, we tend to call them "vendor staff" internally. More often than not these people will come from external companies who supply the staff, but they will be based on-site and embedded onto a team for the duration of their contract.
Pretty sure I can't name any of our vendor companies, but you can take a guess at some of the bigger ones I'm sure.
>...we tend to call them "vendor staff" internally...
There was a time when MSFT called them "dash trash". Good times. /s
They still tend to get worked pretty hard, have no job security and don't get paid anywhere near as well.
Not a big secret - just google largest Ukrainian IT companies (they are all outsourcing)
getting an auditing threat from a @v-microsoft.com accounts are pretty common
>How do you find such contract work?
It's a misnomer[0]. You usually find this work through vendor companies that actually hold the contracts with BigCo's. To the BigCo, you're a contractor but you're "technically" an FTE with the vendor company, who holds the actual contract (head count x duration) to work at the BigCo.
[0] - https://en.wikipedia.org/wiki/Misnomer
I'm wondering why you felt the need to link to a definition of a word you used?
for the reader, not the writer. he/she obviously knows the word but a potential reader might not and he's just saving them the google search, my guess ¯\_(ツ)_/¯
he doesn’t realize all modern OS can automatically look up word definitions?
Knowing someone who works there and wants something done badly enough to go through the internal procurement process is one way.
"... despite efforts to conceal his identity ... to hide public blockchain transactions using a Bitcoin mixing service."
Does someone have details on what he was trying to do here and why did he have to use bitcoin mixing in the first place?
I imagine that if you do this, you'd sell gift cards for store currency in Bitcoin, and presumably also in cash. You'd probably want to avoid using bank transactions.
Supporting test credit cards in production with no fraud or risk assessment.
Do you want fraud? This is how you get fraud.
Dhdjdi
Silly billy
Too bad that he was not from a serious country like Russia or China. He could've taken the money and went home and the US cannot deport him.
Ukraine also doesn't give up its citizens, just like Russia. Ukrainian and Russian hackers are often caught in their holiday trips abroad, when they relax from their money stealing activities. But that's the point of luxury life - it's easier to live it in US than in Ukraine.
And why is that "bad"?
It is interesting that he decided to stick around in Washington after ripping off Microsoft. He bought a $1.6M house there, so he presumably liked the area, but it seems like one hell of a risk. Even if he kept coming to the US or had his banked funds seized, locating hard assets like the house in Ukraine would do quite a bit to improve his odds of a good outcome. Among other things, a potential $250k fine on a $10M theft doesn't sound like much, but it's got to be tough to pay off with your assets seized and your career prospects crippled. Having some seizure-proof goods in another country would have made that a lot more manageable.
Of course, the risk/reward on this sort of thing is usually crummy regardless, so maybe we shouldn't be surprised (much less disappointed) that the people involved tend to make some other risky choices.
You need to change your constitution!