Ermenildo Valdez Castro a 28-year-old software developer who was a former employee of the American e-commerce site Zulily is accused of stealing 300K dollars from the company.
What is Zulily?
Zulily is an American e-commerce company headquartered in Seattle, Washington. It mainly targets mothers and young children and sells kitchen accessories, clothes, toys, etc. The company has revenue of over $366 million according to the data from August 2016 and a net income of $10.66 million according to the data from December 2012.
How Castro stole $300K from Zulily?
According to New York Times, Castro was inspired by the 1999 film Office Space.
Office Space is an American comedy movie released in 1999 in which Peter Gibbons with his two friends decided to plant a virus in the company's system and make a small fortune from it by transferring some amount of money to his account on each transaction. Due to a glitch in the program, they were withdrawing a large sum of money from the company's account to theirs which caught the attention of the company.
Although Mr. Castro didn't have the support of his friends like in the film, he was a great programmer and managed to recreate the virus with some modifications.
Ermenildo Castro joined Zulily in 2018. He was responsible for maintaining the code for checkout processes.
According to the police report, in the spring of 2022, Castro started making changes to Zulily's code that allows him to steal money from the company. He inserted three types of malicious codes in the checkout process, the report stated.
According to the court documents, Castro stole $110,240 by transferring shipping fees to his account which he controlled through the payment-processing site Stripe.
When Zulily found out that they are not receiving the shipping fees although the customers are being charged, they launched an operation to find out what was wrong. Castro modified the code to accept double shipping charges thus sending half to the company's account and a half to his, from this he earned $151,645.
According to police, more than 30,000 transactions totaling around $263,300 were sent to Castro’s Stripe account between February and June 2022.
Castro also changed the price of certain products so that he can buy them at a cheaper rate. The court records state that he paid about $250 for nearly 1,300 items collectively worth more than $41,000.
So basically, he earned money from three methods. He diverted the shipping fees of $110,240.71 into his account, charged double the shipping fee from the customers and made $151,645.50, and saved around 41,000 dollars by reducing the cost price for the products he purchased. In total, he unlawfully stole $302,278.52 from the company before getting sacked in June 2022.
How did the company find out about Castro?
Zulily's cybersecurity team checked Castro's laptop and found a OneNote file named "OfficeSpace Project" which contained the code that Castro used to steal 300K dollars from the company.
Ermenildo Castro was arrested on July 21. He admitted that he has modified the checkout code, but he also said that Zulily knew about the changes and it was a part of a testing process. Castro admitted that he stole money and informed that the money is invested in the stock market, particularly GameStop. He also informed the detectives during the interview that he named his scheme to steal from Zulily after the movie, Office Space which was launched in 1999.
According to the information in the OneNote file, Castro planned to move with stolen money to live off-grid.
Conclusion
I have read a lot of stories in which employees steal from their own and this story is one of the best among them. Castro did wrong by stealing the company's profits and people's money. I am amazed at how he did all these things from writing codes to transferring payments to his accounts to charging double shipment fees when he found that the company has noticed suspicious activity.
I hope the police will be able to recover most of the loss and it may return to the people whose hard-earned money was stolen.
Also published here