Euro Security Watch with Mathew J. Schwartz

Fraud Management & Cybercrime , Governance & Risk Management , Insider Threat

Software Engineer Charged With 'Office Space-Inspired' Fraud

'Shopping Experience' Engineer at Retailer Accused of 'Malicious Software Edits'
Software Engineer Charged With 'Office Space-Inspired' Fraud
Image: Three men prepare to execute a fax machine in this scene from the 1999 workplace comedy film "Office Space."

More signs truth may be stranger than fiction: Seattle police have charged a software programmer with engineering a fraud scheme inspired by the online heist in the 1999 black comedy film "Office Space."

See Also: How to Take the Complexity Out of Cybersecurity

"For folks who don't know that movie, that's where people are frustrated with their job and put a malicious piece of software into the system to take fractions of a penny and put it into a separate bank account," Casey McNerthney of the King County Prosecutor's Office in Washington told KIRO Newsradio. "And that's what police allege happened here as well."

Police on Dec. 20, 2022, charged Ermenildo "Ernie" Valdez Castro, 28, with perpetrating multiple fraud schemes while employed on the "shopping experience" team at Seattle-based online retailer Zulily. He was fired from the company on June 9, 2022, after the corporate security team traced tracking numbers for items ordered with heavily discounted prices and found boxes of them piling up outside the suspect's house.

In the film, after the protagonist fat-fingers the decimal place, he attempts to roll back an unwanted $300,000 profit. Castro has been charged with stealing nearly the same amount from his former employer and its customers. He was arraigned Dec. 29 and is next due back in court Jan. 26.

Evidence: 'OfficeSpace Project' in Castro's OneNote

Lest the comparison with the movie seem like a stretch, a Seattle Police Department report offers some convincing parallels. Police say Zulily's director of cybersecurity, Steve Carney, shared a OneNote document recovered from Castro's work computer, referencing the "OfficeSpace project," which would "cause production traffic to be routed to Stripe," as well as "cleanup evidence," including tweaks to audit logs and to "disable alarm logging."

Police searched Castro's home in Tacoma, Washington, on June 21 and arrested him the same day in Seattle. He was interviewed by two detectives and advised of his rights, after which he waived the right to counsel and spoke directly with detectives, according to the Seattle police report.

Detectives say "Castro confirmed that he named his scheme to steal from Zulily after the movie" and "inserted three types of malicious code in the checkout process at Zulily" in pursuit of this alleged scheme.

Police have now charged him with:

  • Shipping over 1,000 items to himself after editing - without authorization - their collective sale price of $41,000 down to just a few hundred dollars;
  • Stealing $110,000 starting on Feb. 18, 2022, until the next month, after rewriting Zulily's website software to divert shipping fees that were due to Zulily to a personal account - registered to his college-issued email address - at payments processor Stripe;
  • Obtaining about $152,000 by rewriting website software to double-charge customers' shipping costs, from April to June 2022.

After Castro allegedly introduced the code changes in February 2022, by the next month, Zulily had spotted discrepancies and assigned a team - which included Castro - to investigate.

Corporate Security Traced Shipments

Castro told police he ended up with 1,000 items that got shipped to his house after he forgot to run a script that was meant to cancel the orders, which were placed for testing purposes.

Detectives said that "when asked what he did with the items delivered, he stated that once he was fired, he threw many of the items away," according to the police report. "When asked why he never returned the items to Zulily, he said that once they fired him, his opinion was, 'F*** 'em.'"

In response to Castro claiming all of the items had been ordered solely for testing purposes, detectives said they showed him evidence from thousands of emails they'd reviewed, suggesting that he had ordered some items at the request of a woman he'd been dating for one month after they met on Tinder, for delivery directly to her.

Detectives said Castro admitted to having ordered the items "for her 'peacock.'" The police report references this slang.net definition: "Peacocking is when a person shows off to impress someone. It comes from the colorful feathers an actual peacock displays to attract a mate."

But police added: "Castro stated that the orders never got delivered because they got flagged by the Zulily fraud team."

If the alleged crime was modeled on "Office Space," the plot differs in multiple ways. For starters, there's no suggestion - spoiler alert - anyone burned down the office in real life. Nor has anyone been accused of executing a fax machine to the tune of Geto Boys' song "Still." And most importantly, none of the characters in the movie was ever charged with a crime.



About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.