The Xbox gift card came with a string of 25 letters and numbers. The digits, known as a 5x5 code, were sent in an email, but they were no different from the numbers and letters etched onto the gift cards hanging off tall racks near the checkout aisle at CVS or Target, arrayed in a Rubik’s Cube of colors. These stores sell them on behalf of Apple, Applebee’s, Disney, Domino’s, and pretty much every other company you can think of, including
bygone era of Blockbuster Video, but today there are online marketplaces where anyone can trade gift card codes for Bitcoin and then turn the spoils into cash. These markets inevitably attract speculators and, because trades can be conducted anonymously, scammers.
Volodymyr Kvashuk received the $15 code a few weeks before Christmas, in 2017, among a batch of 20 others worth $300 altogether. But the engineer, who went by Vova for short and was in his mid-20s, hadn’t paid for the Xbox gift cards himself, nor were they some early holiday present from relatives. Kvashuk had recently begun a full-time job at Microsoft’s headquarters in Redmond, Wash., testing the company’s e-commerce infrastructure.
His team’s focus was to simulate purchases on Microsoft’s online store, looking for glitches in the payments system. This meant making lots of pretend purchases in the store. If Kvashuk added a Dell PC to his shopping cart, he’d use a faux credit card Microsoft had provided, complete the transaction, and document any errors. The system knew the purchase was fake and wouldn’t deliver the device to his doorstep. At least that was what was supposed to happen.
Then Kvashuk found a bug that would change his life [...]
