United States v. Kvashuk

• Decision Date: 28 March 2022
• Docket Number: No. 20-30251,20-30251
• Citation: 29 F.4th 1077
• Parties: UNITED STATES of America, Plaintiff-Appellee, v. Volodymyr KVASHUK, Defendant-Appellant.
• Court: U.S. Court of Appeals — Ninth Circuit

29 F.4th 1077

UNITED STATES of America, Plaintiff-Appellee,

v.Volodymyr KVASHUK, Defendant-Appellant.

No. 20-30251

United States Court of Appeals, Ninth Circuit.

Argued and Submitted October 7, 2021 Seattle, Washington

Filed March 28, 2022

Joshua Sabert Lowther (argued), Lowther Walker LLC, Atlanta, Georgia, for Defendant-Appellant.

Michael Dion (argued), Assistant United States Attorney; Tessa M. Gorman, Acting United States Attorney; United States Attorney's Office, Seattle, Washington; for Plaintiff-Appellee.

Before: Richard A. Paez, Milan D. Smith, Jr., and Jacqueline H. Nguyen, Circuit Judges.

NGUYEN, Circuit Judge:

Volodymyr Kvashuk stole $10 million in digital gift cards from his employer, Microsoft, using login credentials he filched from his coworkers. Microsoft uncovered Kvashuk's scheme and fired him after noticing unusual gift card redemption activity.

Unbeknownst to Kvashuk, Microsoft also referred the matter to law enforcement. Over the next 13 months, the Internal Revenue Service ("IRS") investigated both the gift card theft and Kvashuk's failure to report the illegal income on his tax returns. Government agents recovered additional evidence when they executed a search warrant on Kvashuk's home and vehicle.

In this appeal from his conviction for 18 fraud-related counts, Kvashuk contends that: the search warrant lacked probable cause; his coworkers' login credentials were not a "means of identification," 18 U.S.C. § 1028A(a)(1) ; the exclusion of evidence that he had applied for asylum prevented him from presenting a complete defense; and the district court should have dismissed a juror who worked for the same team at Microsoft. None of these contentions has merit. Therefore, we affirm the district court's judgment.

I. Background

A. Kvashuk's Employment at Microsoft

Kvashuk grew up in Ukraine and came to the United States in 2015 at age 21. In August 2016 he landed his first job in the tech industry as a software engineer at Microsoft's Redmond, Washington campus. For roughly the first year, he worked as a contractor, and after a two-month hiatus, he returned to Microsoft as a direct employee in December 2017.

Kvashuk worked on various projects involving the user experience at the Universal Store. The Universal Store is Microsoft's online portal for selling computer hardware, television shows, movies, games, and applications. It is universally available on devices running a Microsoft operating system, such as a Windows PC, an Xbox game console, or a Windows phone, but anyone with access to the internet and an email address can create an account and place an order.

Software engineers working on the Universal Store team ("UST") wrote and tested code. Most testing was performed "in production"—i.e. , using the code version that an end user would experience. UST members tested the steps that a user would go through to purchase a product at the Universal Store—the user's "purchase flow"—by creating test accounts. Test accounts were the same as any other Universal Store account, with three main exceptions.

First, the email addresses used for test accounts started with "mstest_" followed by an alias selected by the individual tester. For example, Kvashuk's test account was mstest_v-vokvas@outlook.com.

Second, Microsoft provided UST members with special credit cards ("test-in-production" or "TIP" cards) for use with the test accounts. TIP cards were not real credit cards—no bank would honor them—but the Universal Store accepted the cards as a means of payment without submitting the transaction to a bank for processing. Thus, TIP cards allowed software engineers to test the Universal Store purchase flow without money changing hands.

Third, Microsoft suppressed the shipment of any physical goods ordered from a test account. Crucially, however, this safeguard did not apply to digital gift cards delivered via email.

A digital gift card is a token—a 25-character code broken into five groups of five characters separated by hyphens—that can be redeemed for a specified amount of credit ("currency stored value" or "CSV") at the Universal Store. A digital gift card purchaser need not redeem the token herself; anyone with a Universal Store account can redeem it.

B. Microsoft's Investigation

In February 2018, Microsoft's fraud investigation strike team ("FIST") noticed a suspicious spike in Xbox Live subscriptions paid for with CSV. The FIST traced the CSV to tokens ordered through two test accounts: mstest_sfwe2eauto@outlook.com, which belonged to UST member Andre Chen, and mstest_avestu@outlook.com, which belonged to UST member Roy Morey.

Microsoft suspended these two test accounts on March 15, 2018, and cancelled any unredeemed tokens purchased through them. At the time, the FIST believed that an outside actor had ordered the tokens because the IP addresses associated with the transactions were external to Microsoft,¹ and the FIST investigator who interviewed Chen and Morey did not suspect their involvement.

On March 22, 2018, the FIST noticed another spike in CSV purchases traceable to a third test account: mstest_zabeerj2@outlook.com, which belonged to UST member Zabeer Jainullabudeen. These transactions were made from a device using the same hosting IP company as the transactions that originated from the sfwe2eauto and avestu test accounts. The next day, Microsoft suspended the zabeerj2 test account and cancelled the unredeemed tokens purchased through it. In all, $10 million worth of tokens was stolen through the three test accounts, and Microsoft cancelled only $1.8 million worth before the tokens were redeemed for CSV, resulting in a loss to the company of approximately $8.2 million.

Microsoft came to suspect Kvashuk when the FIST searched for other accounts that had accessed the Universal Store from the IP addresses used to steal CSV. Multiple IP addresses associated with the sfwe2eauto or avestu test accounts were also associated with Kvashuk's v-vokvas test account, his personal Outlook account (safirion@outlook.com), and his personal Gmail account,² as well as an additional account: pikimajado@tinoza.org.

Kvashuk's v-vokvas test account, the pikimajado account, and another account—xidijenizo@axsup.net—were also linked to the sfwe2eauto and avestu test accounts through the same "fuzzy device ID." A fuzzy device ID is a "fairly unique" identifier generated by Microsoft—a string of information that identifies characteristics about the user's browser, operating system, and other attributes. According to Microsoft, it is "theoretically possible" but "very unlikely" that two different devices would have the same fuzzy device ID.

Microsoft discovered that in October 2017, Kvashuk's v-vokvas test account ordered a single token that another account, linked to an email address at searchdom.io, redeemed for a subscription to Microsoft Office. Kvashuk was a registered owner of searchdom.io. Two weeks later, the v-vokvas test account ordered tokens worth approximately $10,000, of which approximately $2,500 was redeemed for CSV in the Universal Store by accounts linked to the pikimajado and xidijenizo email accounts. These two accounts used the CSV to purchase graphics cards and ship them to "Grigor Shikor" at Kvashuk's apartment complex.

In two interviews, Kvashuk admitted to Microsoft investigators that he had used his test account to generate tokens, which he claimed he redeemed to watch movies. He also admitted purchasing a graphics card on the Universal Store using CSV he obtained from the test account. He claimed that he had wanted to see whether it was possible to order physical items that way but that the graphics card never arrived.³ When asked if he knew Grigor Shikor, Kvashuk first told the investigators, "It's complicated," and then denied knowing him.

Microsoft terminated Kvashuk's employment in June 2018 and informed the Department of Justice about the stolen CSV.

C. Kvashuk's Criminal Prosecution

The government learned additional details through its investigation. The name on Kvashuk's phone account was Grigory Kvashuk. Many of the IP addresses Kvashuk used to access the Universal Store belonged to a company operating a virtual private network ("VPN").⁴

Kvashuk also had sudden, unexplained wealth. His salary at Microsoft was $116,000, and his bank account at Wells Fargo had a balance of less than $20,000 until late November 2017. Between November 2017 and May 2018, Kvashuk transferred over $2.8 million from a cryptocurrency account he held at Coinbase.com into his bank account. By examining the Bitcoin blockchain (a public ledger of Bitcoin transactions), the government determined that the Bitcoin deposits in Kvashuk's Coinbase account came from a mixing service, which obscures the Bitcoin's source by mixing potentially identifiable Bitcoin with other Bitcoin. Kvashuk used the cash from his Coinbase account to purchase a $162,000 Tesla Model S in March 2018 and, three months later, a $1.675 million house on the shore of Lake Washington.

Through a search warrant served on Google, the government obtained Kvashuk's Gmail messages and internet search history and learned that Kvashuk had been selling the stolen tokens on a Paxful account. Paxful.com is a peer-to-peer Bitcoin marketplace that allows users to exchange Bitcoin for gift cards, among other things. Kvashuk's chats on Paxful with purchasers of the gift card tokens revealed that he received 55 to 60 cents worth of Bitcoin for every dollar of CSV that he sold.

The government subsequently executed a search warrant on Kvashuk's lakefront house and car and seized additional evidence tying Kvashuk to the stolen CSV. Kvashuk was indicted on 18 fraud-related counts, including two counts of aggravated identity theft, 18 U.S.C. § 1028A.⁵

Prior to trial, the district court denied Kvashuk's motions to suppress the evidence obtained from his house and car and to dismiss the aggravated identity theft counts for failure to state an offense. Over Kvashuk's objection, the court granted...