Over $300,000 was stolen from Zulily using malicious code that diverted shipping fees and reduced the price of Zulily merchandise.
A former Zulily employee has been charged with stealing over $300,000 from the e-commerce site after allegedly being inspired by the 1999 film Office Space. As reported by The New York Times, according to this police report (pdf), Ermenildo Valdez Castro, 28, is accused of manipulating product prices and altering the company’s code to divert shipping fees from Zulily to a personal account.
According to court documents, Castro began editing Zulily’s software code for checkout payments in February 2022, which allowed him to steal around $260,000 in electrical payments by diverting shipping fees from Zulily customer purchases to a Stripe account that he controlled, in some cases double-charging customers for shipping.
Here are the three methods authorities accused him of using:
(1) an original code that diverted some customer shipping costs from Zulily’s account to Castro’s personal account beginning on February 28, 2022, through which Castro unlawfully obtained $110,240.71 from Zulily;
(2) after Zulily began investigating that first issue, a replacement code that doublecharged a small percentage of Zulily customers for shipping, allowing Castro to route a ‘full’ shipping cost to both Zulily’s accounts and his own account, through which Castro unlawfully obtained $151,645.50 from customers; and
(3) unrelated to the first two issues, by reducing the cost of expensive items that he was purchasing on Zulily.com to pennies per unit, a method by which he unlawfully obtained $40,842.31 from Zulily. Through these three methods, Castro stole a combined $302,278.52 before he was terminated in June 2022.
Castro was hired as a software engineer by Zulily in 2018. According to court filings, Zulily fired Castro in June 2022 after the company investigated his price adjustment scheme. A OneNote file discovered on Castro’s work computer titled “OfficeSpace Project” allegedly contained codes used in the scheme, alongside a note that he would need to “fudge exposure metrics.” Castro was arrested on June 21st and informed detectives during an interview that “he named his scheme to steal from Zulily after the movie,” according to a police report.
The plot of Office Space centers around a group of software engineers who use a computer virus to steal huge sums of money from their employer by skimming fractions of pennies from company transactions after being inspired by a similar scheme from the 1983 Superman III movie.
According to information found on the “OfficeSpace Project” file, Castro planned to use the stolen money within the Stripe account to live “off-grid” in the event his scheme was discovered.
The police report said Castro admitted diverting the shipping fees, informing authorities that the money was “gone” and that the stolen funds had been invested in the stock market, particularly in GameStop.
Castro also altered the prices of products sold on Zulily, allowing him to buy over 1,000 items of Zulily merchandise worth $41,000 for just $250, according to court documents.
Castro admitting to placing orders for over 1,000 items that were shipped to his house. He stated that the orders were part of a testing process that Zulily was aware about, but he claimed that there was a script that was to be run shortly thereafter that would essentially cancel the order and ensure the orders did not process. He said the test orders would have to be billed to a personal credit card, thus his changing of the items’ prices, as to avoid incurring a large expense on his personal credit card. He said he forgot to run the script; therefore, the orders shipped. He admitted that he did not ever notify Zulily staff of the orders being delivered. When asked what he did with the items delivered, he stated that once he was fired, he threw many of the items away.
When asked why he never returned the items to Zulily, he said that once they fired him, his opinion was, “Fuck ‘em.”
Castro was charged with two counts of theft and one count of identity theft on December 20th, 2022, and is due to appear in court for arraignment on January 26th.
