Hacked - The Regifter
Episode Date: December 1, 2022The story of one man trying to make his fortune one Xbox gift card at a time. Learn more about your ad choices. Visit podcastchoices.com/adchoices...
Transcript
Discussion (0)
Do you have any unused gift cards sitting in a drawer somewhere?
Oh, absolutely.
I think everybody has the little container tray in their drunk door just full of ghosts of Christmas gift card passed.
What are we talking about here?
Best Buy?
Chapters.
Sport check.
Home Depot.
Like the local ramen shop we like.
You name it.
There's like a decent amount of cards.
Let's start this off by talking about how you can turn those gift cards into cold, hard cash,
because it is very important to all of this.
There's a bunch of websites on both the clear and dark web for turning gift cards into money.
But the one that we're going to talk about because it comes up most in this story is called Paxful.
Paxful.
Paxful describes itself as a peer-to-peer platform for buying and selling Bitcoin.
But the interesting part is that you can buy Bitcoin from other users using, quote, 350 plus payment methods.
And just shy of half of those payment methods are different kinds of gift cards.
So if you've got a gift card to your favorite ramen shop on PaxSpole.com, you can sell it to someone for Bitcoin.
You got a gift card to Chili's.
You can buy some crypto with it.
Costco, Dell, Disney, IHop.
Buy and sell crypto.
which if you were so inclined, you can then convert into currency wherever you live.
Kind of a gift card to cash pipeline.
Most folks listening to the show have probably heard about like scams and grifts and social engineering hacks that end with the victim sending the scammer a gift card.
Right.
They're basically untraceable.
They make a great medium for scams.
They were kind of the medium before crypto, right?
Mm-hmm.
Because once you've convinced someone that you are from the IRS and the only, you're only, you're not.
The only way they can avoid a massive fine for back taxes is to send you 500 bucks in gift cards to Applebee's right now.
It's very easy to turn those gift cards back into cash using sites like Paxful.
But those businesses, Adidas, Costco, Denny's, somewhere deep in the bowels of their like finance departments, there exists a database, a spreadsheet, essentially, of codes, strings of typically 25, like numbers and letters.
that correspond to some dollar value.
There's a whole system for generating those codes.
There's a system of accounts for testing them.
And the codes aren't worth anything
until someone takes it, turns around,
and hands it back to the company
and says, I've been told this is worth $20 of stuff.
I'd like that stuff.
The company checks the database,
confirms that to be true,
and lets that person walk out with sneakers or pancakes
or in-app purchases.
But just for a second,
Second, let's think about a person who works at one of those companies in the department with the big database of codes, who finds like hiding in that system a button that says make new gift card code.
And they figure out a way to press that button anonymously and as many times as they want.
20 years ago, that person had found a button to create, you know, infinite sneakers or pancakes
or whatever, and they'd get caught really quickly because they're stealing from the one place
that takes the currency they're stealing.
But that was back then, before sites like Paxville.
Today, that person with a little bit of automation and account on Paxville and a crypto
wallet has basically discovered a button that prints money.
generate the code, sell it for Bitcoin, convert the coin to cash, buy a yacht.
This is the story of Volodymyr Kishuk, a former junior Microsoft engineer who found that button
and kept pressing it until the bitter end.
Here on Hacked.
I have, I checked before we recorded, I have $75 to Best Buy and I think like four, some
like change left on a chapter's gift card. And I think that's it. I think I've worked through the
rest of them. Wow, good work. Yeah. Good work. I'm putting the time in, man. I think somebody else we
need to give a shout out to is all of the hardworking scammer payback people like Kid Boga on YouTube
on YouTube and YouTube. These people who literally have made a career just harassing the people that
constantly harass us. Sure. I know, I know it's it's cyber deal in Black Friday. Cee's
and I've been considering changing cell phone plans, which I did do.
And one of the big things I was looking for was the call confirmation.
I don't know if you're aware of this.
No.
But essentially they have to confirm that they want to call you.
So like all of those bogus auto dialer calls just get dead blocked.
Oh, wow.
And yeah, that's a great feature.
Yeah, sadly, like the thing is, like I've essentially stopped answering my telephone at this point.
If I don't have your number in my phone, then I don't pick up because I just assume it's a scammer.
Like I get so many a day, which is not great for business or otherwise, but it's just, you know, for my mental health, I just have to not pick up my phone 73 times a day to hear, you know, the CRA is busting you or the IRS is coming for you or whatever it is.
And it's always send us a pay card.
Send us a, yeah, Android, Google Pay, please. Target gift cards. Great. So big ups to all the all the scammer payback people out there, you know, doing one for the team.
I do love those videos. Every so often the algorithm just sort of like, do you want to watch a person on the far end of a webcam freak out?
Because they got hacked by the person they were trying to hack. I'm like, I do.
I do want to watch that. Yeah, same. I enjoy watching those too.
Load it up. So if you haven't managed to have the algorithm feed you one of these things yet,
I highly recommend very funny, YouTube.com slash kitboga, K-I-T-B-O-G-A, or Twitch. I think he's on Twitch as well.
you know, one of the best, I think.
His harassment, his next level.
One of the greatest to ever do it.
The goat of scammer harassment.
And I think he's actually famous in the scammer world at this point.
Like, these people know who these people are.
And, like, they know when they're being played almost because he's so good at it, which is so funny.
Do you think that scammers seek out?
This is a total detour.
Do you think that people that do scammer?
try and seek out the people that take on scammers on YouTube almost as like the Olympics of doing
scams, like if I can get them.
Maybe, maybe.
If I can pull the rug over or is it, you just want to be famous.
Like I just want to be on that stream.
I want to see if they can get me.
I don't know.
I never thought about that.
Just like, would I be the goat of scammers to scam the goat of anti-scammers?
I guess, I guess maybe you would.
The highest profile target.
The only way you can know if you're the true heavyweight is to take on the heavy weight.
That's right.
That's right.
So, spoiler, we're talking about all this because this all goes horribly wrong for Volodymyr.
Which is the only way that you end up with all of the court documents necessary to really
get what happened here.
Very briefly, as the court recalls from the briefs, the fraud, then alleged fraud happened
between November of 2017 and March of 2018.
That is audio from an appeals hearing for his case.
Vladimir has been convicted.
That video is his defense attorney kind of sitting on a Zoom call with the prosecution and some judges
trying to make the case for his appeal.
And it is not going well.
Here is one of the judges.
Let me just say this.
I'm sure you're a really good lawyer, but I'm sure that's not your best argument.
What is your best argument?
It's a clapback.
The judicial form of a roast.
Volodymyr is currently serving a nine-year sentence for the events that we're about to discuss.
But what he did and the way he navigated this weird system of non-currency currencies
that gift cards sort of sit in the middle of, it's just very interesting to me.
And with the holiday season approaching, this being a story about gift cards, I think very relevant.
Volodymir Kashuk was born.
Born and raised in Rivney Oblast in Western Ukraine.
Prior to coming to the U.S. in 2015,
just sort of a normal dude.
States Com-Cy and economics at the university
where his parents taught got, you know,
kind of average enough grades.
Austin Carr's really good investigation to this for Bloomberg
where I got a lot of my notes,
flags, importantly, that he did get a D in risk management,
which feels prescient to everything that's about to occur.
Appropriate.
He comes to the States in 2015 for a wedding
and immediately loves it, takes to the Southern California son,
decides to crash with his aunt and uncle,
gets in touch with an immigration attorney,
and manages to wrangle a job reviewing JavaScript for a small software firm.
Waldemir had made his way into the American software industry.
Kishuk's side hustle during this time when he first arrived
is important for a couple of reasons.
First, it resulted in some of the only audio of him I was able to find.
from some ads that he and his business partner made, and they are fantastic.
Hi, world.
This is Lee.
In my previous life, I was totally not happy man.
This would be my 10th cup of coffee by the day because I was a market during search engine optimization, and my life sucks.
Is it a crypto company?
It sounds like a crypto ad.
It's not.
Searchdom.
dot AI, whose URL is actually currently available for sale, we should scoop it up, was a automated marketing
something.
I don't quite know what service they were providing, but it had to do with automated marketing.
And in this ad, we get to hear just a little, a little bit of casuch.
Hey, Lee, your life doesn't near to suck anymore.
There is AI automation that can solve all your problems.
Oh my God, show me.
There's no indication that this business had anything to do with what followed this business or his business partner.
But the company doesn't go too well.
Searchdom is not like the big unicorn, I imagine they'd hoped it would be.
And Kishuk decides to pursue new opportunities.
But this company does come up later.
In August 2016, he ends up at a company that handled basically one contract.
Development for the online store for a little company called Microsoft.
Keshuk moves into an apartment in Seattle.
Works there for a while, and in 2017, he makes the transition from an external vendor
to a full-time engineering position inside of Microsoft, which is really when all of this boots up.
Good job.
Yeah, no, he made it there pretty quick.
As part of his job, Kishu Kishu Kishen had the ability to create these testing accounts for the Microsoft store.
There were a lot of limits put up around these testing accounts to make sure that nothing, you know,
kind of dodgy happens with them.
Basic idea is with one of these accounts in the store, you can go through an entire transaction
to test every stage of it.
You could pick a thing, place basically unlimited orders, go through the whole process
right up until we've shipped this to you.
But the catch was it just wouldn't ship stuff to these testing accounts.
So you could go through the process of ordering an Xbox.
You can make sure it's possible to buy an Xbox, but at the end they don't ship you an Xbox
if you're using a testing account.
Right.
But during that first year, Kishuk makes a discovery.
A product that this limit didn't apply to.
A product you could basically order unlimited amounts of.
Because there was no physical good to ship.
Right.
Just a code for the system to generate.
I think I see where this is going.
He found the button, man.
I think that's like a, a,
like an ethical morality test that I wonder if all of us took how many of us would pass.
Somebody gives you a button to just generate money.
Can you can you restrain yourself?
I think I could.
I think you could, but I think a lot of people wouldn't.
I like to think I could.
But what's interesting about this is that there's still a little bit of friction.
Like he found the button, but the button, he's still pressing the button with his testing account.
So he's found the button, but it's not immediately.
clearly clear that he can press it without repercussions yet.
We found this way to basically generate very real gift card codes.
It was this loophole in the system.
Microsoft just hadn't planned for these testing accounts to test purchase that specific
thing.
But if you went through the process of buying one with one of these test accounts, they would
give you a working code.
And to your question about the sort of morality test here,
Kashuk does not report this.
Of course.
The other important thing here, and I brought this up earlier,
has to do with the testing accounts themselves.
Theoretically, if he generates a bunch of these codes on his account,
it's really, really easy to figure out who is doing this.
So he's found the button,
but he needs to find a way to press it using a bunch of these different accounts.
Kishuke and his coworkers would regularly hop back and forth between mock profiles registered using aliases with the Microsoft Store team.
These accounts weren't supposed to be disposable, but it was really easy to make new ones.
They weren't supposed to be swappable with other employees, but folks pretty regularly did.
And at some point, I'll unpack exactly how we did it later.
Kishuk manages to find a second vulnerability that really makes this scam click.
the way it ends up clicking.
And it was a way to access the login credentials of other Microsoft employees testing accounts.
So now he wasn't just relying on people being kind of sloppy with these accounts and giving
them back and forth.
He wasn't relying on his ability to register new ones.
He figured out a way to get access to other employees testing logins.
And he starts amassing this database of these testing profiles.
Cheshuka's working from home that summer, and he starts building this kind of pipeline.
He's routing all his internet traffic through Japan and Russia, and he's starting to place test orders using these different testing accounts for gift cards.
I like to imagine at this point that this has become his like full-time job.
Like he's just kind of sitting there barely doing his actual work, but just compiling the script and database of like he's probably still being paid, but he's being paid to like hack the company that he works for.
I think that's probably accurate.
It's like he was a janitor hired to clean a building,
and in the basement he found a bunch of gold,
and he's just spent the summer trying to figure out
how to sneak it out of the building.
Yeah.
The process he builds immediately works.
He's able to generate a $2,000 gift card anonymously,
does a test purchase,
buys a copy of Microsoft Office for $164,
and everything goes off like gangbusters.
Ironically, that first purchase he makes,
way early in this process
before the millions of dollars that would come
of a copy of Microsoft Office
would also be the thing that led to his downfall.
I was going to say, let me guess
that was the needle in the haystack.
They traced it all the way back to the first purchase
and he'd registered it to himself.
In January 2018, he decides to automate this process.
He develops a computer program
he named Purchaseflow.cs.
You punch in the denomination,
you punch in the currency you wanted in,
you punch in the number of cards
you want generated to those specs and it would handle the whole thing.
I think your theory that he is basically doing this as his full-time job
seems pretty plausible to me at this point in the story.
If we look over at his listings on Paxful.com where he was going to end up selling these
things, he operates under the username Grizzled Wolf.
We could see how appealing he could make these gift cards for the people
who he was then using to launder them into cash.
Because they were free for him, he could sell them on this.
site at a massive discount.
Sure.
He was selling these things for like 55% off.
He could generate them in any foreign currency.
This was, as you've flagged, probably his full-time job at this point, so he was super
fast to respond.
He has like an online store where you can like choose your denomination and thing and then
pay 50 cents in the dollar and get a gift card for it.
I could see how that would be an appealing product to make, but also it's theft.
Oh, it's completely theft.
And it is unclear whether or not all of his customers know.
that this is theft, you should be able to intuit that someone selling this many gift cards
at this kind of a discount is probably not totally legit.
But he had a pretty big spectrum of people buying from him.
So it's not clear that everyone knew they were buying from someone who had stolen these things.
One of the other big players in the Paxville ecosystem, who are our buddy Kashuk,
a.k.a. Grizzled Wolf was selling to was a user named Maku.
Maku is a buyer-seller, claimed to be based out of China, and he first reached out to Volodymyr with a message that read, I need Euro 75.
He ends up buying 300 gift cards from Grizzled Wolf, worth on the open market about $30,000 at the time.
Grizzled Wolf sells them to him for $1.98 Bitcoin, which was then worth about $17K.
So this is a really, really good deal for Maku.
They do this giant transaction anonymously at the time.
You didn't require identification on Paxville back then.
And then Kishu just drops this giant copy paste of 25-digit codes like into their chat.
That's the whole deal.
Maku turns around, sells them off individually, classic bulk buying retail markup setup.
It's like classic, classic gift card arbitrage.
And this first gift card arbitrage, a rousing success.
Grizzled Wolf and Maku kind of go into business together.
They decide they're going to increase the volume.
They're going to try and scale this thing up.
All in over the course of this, Maku and one other user on Paxville made up the bulk of
Volodymyr's sales over the next year or so he's in business.
He sold these two accounts alone, roughly $7 million U.S. and Microsoft gift cards over that
time frame.
Kishuke is amassing a fortune in Bitcoin throughout all this.
He obviously has to find a way to launder it.
He ends up using a tumbler called Chipmixer.
And in March of that year, Vladimir transfers $1.4 million from a coin basic
into a personal Wells Fargo checking account.
He does another million bucks in April.
He tells his accountant that Bitcoins were a gift from his dad.
And we're going to talk about the ways that he spent that money a little bit later.
But slowly glitches are starting to emerge.
He starts getting messages from folks saying that the codes they bought weren't working.
Some early signs of trouble.
Gets a message from a high schooler, username Absterbone, who bought a code.
And when it didn't work, immediately called up Microsoft's
customer service line, where they tell him that the number he bought, the one Volodymyr had
generated using this system, was reported as stolen.
These are the first signs that maybe Microsoft is starting to figure something's up.
But Absterbone is not the only person to essentially narc on him to Microsoft.
His number one customer, Macu, also calls up Microsoft after a giant batch of codes that
Kashuk sold him turned out to be bad.
Keshuk sends Makua a message that reads,
quote,
Damn man, you should not have sent this request to Microsoft.
Send them directly to me.
If they start tracking me down,
I am going to bail.
I was going to say that's always a sign you're in business with somebody good.
Yeah, totally.
Don't call the people irresponsible.
Call me.
Don't call the people that make the thing.
If they track me down, I'm going to run.
You're going to bail from this legitimate business you're operating?
Yeah.
They were tracking him down.
In February 2018, Microsoft's Fist department, the fraud investigation strike team,
noticed a massive spike in online purchases using gift cards because you could basically
doubled the amount of codes that were typically being redeemed at any one time.
He had totally messed up the curve.
Wow.
One person?
One person had totally screwed this whole thing up.
For a company the size of Microsoft.
Apparently.
Yeah, I would assume it was like a rounding error for Microsoft, but maybe not.
It's good that the Fist department exists and that they track that stuff.
Structed team fist.
At first, they designated as probably coming from a bad actor outside of the company.
They thought someone was stealing from them from outside Microsoft.
Yep.
But they pretty quickly discovered that the call is coming from inside the house.
This is an inside job.
So they decide to bring in the big guns.
Wait, who are the big guns?
Oh, we're going to get to the big guns.
Oh.
His discovery right after the break.
Think about the last time you heard a breach story on this show.
It always starts the same way.
Someone somewhere saw something too late.
An alert buried, a signal missed, an SOC that just couldn't keep up.
Arctic Wolf set out to solve that problem by rebuilding security operations from the ground up for a world where attackers are already using AI.
They created the Aurora superintelligence platform, a fully agentic system powered by the swarm of
of experts. Instead of single-purpose bots or lucky-guess LLMs, this swarm is full of deterministic
agents that handle whole entire workflows. Humans stay in the loop and on the loop to validate
the critical decisions and keep everything trustworthy, and all of this is just off running on
their secure operations graph. A constantly updating intelligence engine fueled by more than
9 trillion telemetry events every week and over a decade of real-world incident response.
The system reasons on real signals and real context, not synthetic training data.
And the result is the new Aurora Agent SOC.
It's the first SCC that is agent led by design.
You get agents that coordinate, agents that investigate,
agents that respond at machine speed,
and hundreds more that automate the repetitive work
that normally buries human analysts.
Arctic Wolf didn't try and bolt AI onto an old model.
They rebuilt the model entirely.
What makes it even more effective is how it works with Arctic Wolf's concierge experience.
The team brings customer-specific context directly into the platform
so every AI-driven decision reflects your environment instead of generic assumptions.
The automation frees your concierge security team to focus on higher value strategy and proactive risk reductions while the agents handle the grind.
If you want to see what trustworthy, production-ready AI and security operations actually looks like,
go to arcticwolf.com slash hacked.
Ever feel like cyber threats are evolving faster than anyone can keep up?
Last year, 2025 was nothing short of a record-breaking,
year for major breaches, from sophisticated ransomware operators to AI-enabled attacks that
turned defenses on their head. Organizations around the world saw headlines they never expected
and cybersecurity teams were tested like never before. But here's the thing. These incidents
aren't just news headlines. They're learning opportunities. And that's why Arctic Wolf is hosting a
live webinar on February 5th diving to the most impactful breaches of 2025. Their field CTO and
security leaders are going to unpack not just what happened, but why these attacks succeeded. And most
importantly, what businesses can do to fortify their defenses for it's too late. You're going to
walk away with real insights into how threat actors are evolving, how defenders are responding,
and what strategies can help you stay ahead of the next big breach. It's not fear mongering. It's practical,
actionable, intelligence from experts in the trenches. Register now at arcticwolf.com slash hacked.
I love how it would be such an obvious thing to think that somebody had figured out a way,
like a loophole in your online store to like do something.
Like it seems like it would be an external hack,
but I guess the internal makes just as much sense.
They'd have even more access.
Yeah, it really depends how much trust you have in the system that you've built.
Yeah.
Yeah.
Well, and it's again not knowing,
because I'm sure the system is quite comprehensive.
It's probably pretty rare for one single person to know the entire system.
So it would be, you know,
some external exploit could easily be doing something similar.
Like I know that there's,
I'm trying to remember there was something recently that was like this,
that there was an external way to essentially get something free on a purchase.
Like if you bought one but had looked at another one,
it would auto buy that as well.
Oh, interesting.
Anyway.
It was clear that they had tried to put up some guardrails around these testing accounts.
They probably weren't worried about them because, well, they're testing accounts.
They can't actually complete transactions.
They're not the first place you look when in an unrelated department
a bunch of gift cards seem to have been hacked.
You don't immediately jump over to the testing accounts
because they're just testing accounts.
But the second you make that connection,
it becomes pretty clear,
we devised a system for generating unlimited purchases
of physical goods that won't ship,
but this is a product that is not shipped.
It is generated.
Yeah.
It was only a matter of time until the big guns put two and two together.
But before we get to him,
It's the twilight days of Kishook's Xbox
Haste lifestyle. How was he spending his money?
As I recall, didn't he, hadn't he purchased his new home?
That's correct. But he purchased the new home. I mean, he apparently...
Man, it's a giant red flag for the investigative officers.
This is true. Thus my comment on...
And a Tesla.
$1.675 million on a how.
on Lake Washington.
Okay.
Real nice pad, had a boat dock.
Nice.
Bought that in cash.
Told the realtor again, he made his fortune of Bitcoin.
Of course.
Goes out and gets the,
gets that clean red Tesla Model S for a clean $162,000.
Nice.
He's living the good life.
But meanwhile, inside of Microsoft.
March of that year, corporate investigators had traced some weird activity
to two of the internal test accounts assigned to folks on the same
team as Kishuq. Those two accounts alone had generated about $8 million in codes that were for sale
on Paxville. So the Fist team turns those accounts off. Then a couple days later, another one of
those accounts from the same team is suddenly draining gift card codes out of the system. This new
account cleans out another $1.6 million in the 26 hours it was live. The investigators call up the
people who these testing accounts are assigned to and they have earnestly no clue what is going on.
Someone had clearly found a way to access these other people's accounts.
Earlier in this whole hack, there was that moment when Volodymy figured out how to gain access
to the accounts of some of his coworkers.
Yep.
And it's at this point that the investigators cracked how he was doing it.
Microsoft used a program they named Fiddler.
It was the system for filing bug reports.
but it turned out, buried deep inside it somewhere,
there was a vulnerability in Fiddler
for the testing accounts that were plugged into it.
While we don't know the exact mechanism by which he did this,
anyone with Fiddler access could theoretically work their way back
to the login credentials of the other users on their team.
Huge vulnerability inside of this piece of software.
But suddenly this investigation team has a sense that,
okay, it's clearly someone on this same.
team that is using the login credentials of their peers.
Sure.
They've narrowed it down to like the 10 possible people.
So the Fist team brings in a 15-year forensic investigator at Microsoft.
A guy named Andrew Cookson.
The big guns.
Big guns.
I was going to say, and it takes him 25 minutes to realize that one of the team members
has just bought in a house next to Bill Gates on Lake Washington and is driving a brand-new Tesla.
The next part of the story is he goes digging through the data,
but I like to think before he did that,
he looked out the window at the parking lot
and was like,
that car cost $170,000.
It's that guy.
Yeah.
Cookson and the team go digging through all the data.
I have to think what ultimately happened here
is that before Kishouk decided to scale this
into a multi-million dollar operation,
way back in 2017,
he was just kind of sloppier.
One of Kishuk's actual testing accounts,
one that's actually tied to him,
had used the same glitch he would go on
to use for tens of millions of dollars in transactions to buy some gift cards
illegitimately way back in 2017.
That initial purchase is what gets him on their radar.
The thing that really cinches it for Cookson that this is the guy is that someone
had used some of those codes from the hacked testing accounts to order three
Nvidia graphics cards.
Those graphics cards were shipped to a made-up name in an imaginary unit that was
importantly, in the very real building where Kishuk lived.
Kishuke gets a call from Microsoft asking him to come in.
Andrew Kuxen, the ex-Skotland Yard computer crimes investigator, would like to have a word.
Did he bail?
He did not bail, weirdly.
Go-bag time.
I would have thought it was go-back time here.
There's this weird thing that I notice in stories about interrogations.
It's kind of a pattern.
And it's that folks who are confronted with wrongdoing will often admit to a much less.
version of the same thing they're being accused of.
I don't.
Sure.
Really.
I kind of get why people do this and I kind of don't.
It's the like, yes, officer, I have had a couple drinks, but only a few.
Like they confess, ish.
On May 18th, Kashute gets brought in and interrogated and immediately confesses isish.
He admits to generating those 600 codes, but he says he was just using them to download
free movies that he watched with his girlfriend.
He had to print it out.
He scratched him out as he went watching movies.
But a multi-million dollar heist using this exact same system he would never.
Cuxon asks him about the graphics cards purchased from Microsoft with these codes.
And again, he kind of like waffles on it.
Yes, I bought those graphics cards.
They were for mine in crypto.
And yes, I shipped them to that address.
But a made-up unit with a made-up name, he doesn't remember that part.
It seems like, it seems like, yeah, seems like timed at color.
your lawyer.
Yeah.
Volodymere doesn't get there immediately.
Four weeks later, Microsoft fires him.
The thing that ultimately brings him down, though,
is do you remember his startup from the start of the show, SearchDom?
Yes.
And you remember the first thing Kishuk bought with those codes,
that very first copy of Microsoft Office?
He registered it to his company.
Got brought down by SearchDom, man.
Oh, my God.
Lessons learned.
Don't register your stolen software to your new software company that you've just put an ad online with your face in it for.
These are day one lessons here.
So how do we how do we go from like I can't believe it took them four weeks to fire him.
But like how do we go from him being fired to him being fully blown out charged?
I assume they've realized the scale of it.
It's about a year later, July 16th, 2019.
and in the interim, Volodymyr's gotten a new job.
July 16th, he does not show up to that new job
because he is sitting on his couch as federal agents
referred by Microsoft raid his house.
Same house, I'm assuming.
Same house.
Same house.
For now.
Still on Lake Washington.
Yeah.
For now.
We're about to find out what his plans were, though.
During this raid, the agents find USB drives full of stolen 25-digit codes.
They find crypto wallet keys.
They find notebooks with relevant bank account information.
And importantly, they find a piece of paper titled,
How I Will Manage My Next Ten Million.
On that list, a $4 million home in Maui,
a $1 million house in the mountains near a ski lift,
that was a quote, as well as the final bullet point that reads,
one yacht.
Wow.
I don't know if he's looked at the price of yachts,
but $10 million, certainly not getting you a house in Maui,
a house in Aspen and a yacht.
Yeah, I don't know that you're picking up a yacht with change after buying two houses.
Yeah, like even $10 million.
I think you're in like starter yacht land.
Yeah, that's...
I feel like yachts are for the, you know, the real, the B billionaires.
Which brings us all to the legal fallout of all this.
From that court case, we've been kind of hearing clips from throughout.
February 2020, Kishu gets taken to trial for identity theft, money laundering,
wire and mail fraud.
His defense argument in this is awesome.
They argued in no particular order that Volodymyr was generating these codes,
actually as an act of promotion and service to his employer.
Oh, yeah, yeah, yeah, nice.
They argued that Kashuk figured that the more free stuff Microsoft gave away,
the more popular Microsoft would be.
So Volodymyr thought he was helping by doing this.
It's a bold argument.
I'm not going to lie.
Sounds like he should have had get better lawyers at the top of that 10 million list.
Because I feel like that that argument is a dead in the water.
Yeah, I would argue that should have been on the How to Spend the first $10 million list.
Yeah, lawyers in all capitals.
Lawyers.
Get really good lawyers.
Then they argued that the list of how he would spend the next $10 million that they found in his house
was just an aspirational mood board.
They argued that him stealing his co-worker's credentials through Fiddler was not actually identity theft because those accounts aren't a real form of ID, which is interesting.
But the prosecution had enough forensic financial proof to charge him.
They had traced the laundered crypto through to his bank account.
They had him on that alone.
But ultimately, those codes that they found his apartment, the 25-digit gift card codes, that's really all the evidence they need.
Because those codes proved that he had come up with.
this system for generating those codes.
The judge and jury found him guilty on all counts.
He will have to make restitutions of around $8 million, and he will likely be deported
when his sentence ends in 2027.
Every day we're given access to confidential information and systems in our jobs.
Sure.
And he just chose to use his for himself.
And, you know, he's, sounds like he got part of what was rightly coming to him.
Sure.
Yeah, so many of these stories are about people having kind of an idea, and this feels a little more like a person making a discovery.
They discover this button.
They discover the ability to get other people's credentials.
They sort of just discover this whole gift card to cash pipeline laid out in front of them.
And then they just walk down that path they've found.
And it inevitably leads to the fist team Andrew Cookson in nine years in prison.
once you've started walking down that path.
I think it's really just about, you know,
all of the things that he did that tied it back to himself.
Like, did he really honestly think that he would never get caught?
There's a lot of hubris.
I won't lie.
Yeah, it feels like if this, like,
I feel like if you're going to do any kind of cybercrime,
you should assume that as, you know,
if the X-axis is time,
you will converge to, as you proceed down time,
you will converge to being caught.
like if he'd done one big bang and done made two million bucks and never touched it again
yeah maybe it would have disappeared if he'd never bought things for himself you know obviously
that's a big no no um but but yeah so anyway it just to me it just seems like somebody who just
maybe didn't have the thought to consider the fact that they definitely were going to be caught
sometime as as they if they kept going at it and it seemed like to go get to the point where
you know there's an active investigation.
I'm assuming he probably knew.
I'm sure they talked about it with their department and to keep doing it.
And then when you get the phone call to come in and have a conversation with the big gun,
you know, I don't know.
And it's especially that moment in the story when there's the two accounts he'd been using
and he generated like $7 million worth of these codes through the two accounts.
They shut down both of those accounts on the same day.
Yeah.
Every instinct in my body is telling me, oh, my God, the walls are closing in.
And instead, he boots up another account and immediately drains $1.6 million worth of
codes using the exact same process.
That is not the behavior of a person that is lying low because the spotlight is shining right
next to them.
That's a person who's just forging ahead.
You totally.
And like the thing is, too, is that if they're at the point where they're closing those
accounts down, they're probably monitoring gift card creation and marking them all that's
stolen anyways, they're pretty much useless the second they get created.
So like, why would you, I don't understand the motivation there.
Just greed, sheer greed.
In court, one of Kashuk's defense's many fascinating arguments was that none of this could be
theft because gift cards have no intrinsic value.
They're not currency.
The prosecution, I think rightfully observed that for something that wasn't money, he sure
had bought a house with it.
But I guess I'll kind of wrap up with this idea, which is that like if you spend enough
time reading about this, it does make you think about gift cards in a very weird way.
Yeah.
In their modern form, they're like a new invention.
They sort of just popped up in the late 1990s.
They're not that old, even though they seem like they've been around in a drawer somewhere
that whole like forever.
Companies love gift cards.
Depending where you live, they can expire.
Changes to service fees means they can just basically lose value.
while they're sitting there.
The difference between the value of the purchase
and the difference between the value
and what you purchase often goes unspent,
all of which means they're basically free money
for the companies that issue them.
They've sort of famously been used
to reduce price transparency at different points in history.
A little famous side story is in the mid-2000s,
Microsoft's Xbox gift card system
used a virtual point system rather than dollars,
which made their actual value exceeding
difficult to keep track of.
Of course.
It's famous, like, tech drama where Walt Mossberg in 2006 calls Microsoft out saying
that this point system they've engineered is, it's not just kind of difficult.
It's fully deceptive.
It took like 79 Xbox live points to buy a song for your Zoom player, even though those
79 points cost 99 cents, but that point-to-penny ratio ebbed based on where you lived,
it was all just very intentionally confusing and borderline deceptive.
And now being used in every virtual game currency ever made.
Name me one game now that doesn't use some form of point or internal currency that is probably programmatically deceptive.
Exactly.
So maybe the real social engineering hack here was gift cards all along.
Maybe the one argument Kishook's defense never made was the one they should have, which is that this was really a Robin Hood type crime all along.
He was taking from the rich Microsoft gift card department and giving himself a Tesla.
What a Robin Hood story.
It's a classic Robin Hood story.
Thank you to our new patrons on Patreon since the last episode.
that's patreon.com slash hacked podcast a great way to support the show
Morgan Vega thank you Jimmy thank you for editing your pledge
means a lot and Alex thank you very very much that's patreon.com slash hacked podcast a great way
to support the show thank you so much for listening thank you for making to the end of
another one and we will catch you in the next one