A Coatesville man used a gift card glitch to defraud eBay of $320K. Here’s what he bought.

Chad Broudy found an online gold mine in October 2016 when he discovered a glitch on eBay that let him buy anything he wanted, virtually free.

Broudy, a 24-year-old from Coatesville, figured out how to over-redeem eBay’s gift cards again and again without the cards getting charged. For 2½ months, Broudy went on an epic shopping spree, paying virtually nothing for more than 3,000 items valued at roughly $320,000, according to federal prosecutors.

Broudy bought Macs, iPhones, speakers, small gold bars, and even cash ($100 bills), court records show. He obtained a cotton candy maker, a cordless vacuum cleaner, a brass eagle statue, and a Star Trek sushi set. He sold much of his bounty, converting Xbox controllers, wine glasses, and smart thermostats into cash.

But exploiting that glitch could put Broudy behind bars. He pleaded guilty to two counts of wire fraud in June and faces up to 40 years in prison, court records show. Prosecutors recommend imprisonment within the range of 27 to 33 months plus restitution and a $3,000 fine, while Broudy’s attorney has asked a judge to let him serve up to half of his sentence outside prison. A sentencing hearing is scheduled for May.

Broudy, who does volunteer IT work for a nursing home, said he could not comment on the case without his lawyer. His attorney, Philadelphia-based lawyer Andrew David Montroy, did not return requests for comment.

In letters to the court, family members described Broudy as a young man who struggled academically in college and associated himself with an “online community” that took him down a bad path. But they said he turned his life around, graduated from Penn State Abington with good grades, and stopped defrauding eBay months before federal agents knocked on his door. Broudy has complete remorse for his actions, his family wrote in pleading for leniency.

“He had no idea he was being investigated or watched, and stopped what he was doing on his own because he realized he was hurting others and found a better place in life to be a part of,” Loretta Broudy, Chad’s mother, wrote in a letter. “Chad has totally turned himself around and is a benefit to the community.”

Prosecutors say Chad Broudy only stopped his scheme once eBay patched the software error that he exploited.

“The defendant had a choice. He could have reported the glitch," U.S. Attorney William McSwain said in a statement in June, when Broudy was charged. "But he chose greed and crime over honesty. He took full advantage of the glitch and exploited it not once or twice, but more than 1,100 times, obtaining more than 3,000 items through fraud.”

The eBay glitch would fail to deduct monetary value from a gift card when a product was purchased with both the gift card and another payment method, prosecutors said. When buying items, Broudy would put nearly all of the product’s cost on the gift card, which would not get charged, and only a nominal amount on the other payment method, prosecutors said. That allowed him to buy items at virtually no cost.

The software bug existed from fall 2016 to January 2017, court records show. One other person discovered and took advantage of the glitch, but spent far less than Broudy, according to eBay, an e-commerce platform that lets customers buy or bid on products from merchants and other consumers. The company expects to be awarded full restitution from Broudy and has recovered $843 so far by charging his gift cards that had remaining balances.

“We have zero tolerance for criminal activity on our marketplace, and we’re pleased that this individual has been brought to justice," eBay spokesperson Ryan Moore said in a statement.

E-commerce fraud jumped 35 percent in 2018 among online retailers that made $10 million or more in sales, according to a survey of 200 companies by LexisNexis Risk Solutions. From mid-2016 to mid-2017, 5,000 companies across eight industries lost $57.8 billion because of e-commerce fraud, according to a report by PYMNTS, which covers payments and commerce news, and Signifyd, a fraud protection firm.

For mid- to large-size e-commerce merchants, each dollar of fraud results in $3.20 in losses, LexisNexis Risk Solutions found. These additional costs can include chargeback fees, merchandise replacements, and labor or investigation expenses

“It’s not just the $320,000” that was lost by eBay, said Kimberly Sutherland, senior director of fraud and identity management at LexisNexis Risk Solutions. “You could multiply that by 3.2 and that might be a better explanation of what that impact was, and why this particular merchant wanted to go after the fraudster.”

E-commerce frauds typically involve bad actors taking over consumer accounts, often using the personal information obtained in major data breaches, cyber security experts said. Hackers have also implanted credit card information-stealing software on e-commerce sites. And customers have defrauded companies by ordering online with credit cards, then canceling the charges, even though they received the goods or services.

Exploiting an existing glitch like Broudy appears to be less common, but there are cases. In January, a homeless man in Britain discovered a glitch on his debit card when he reportedly spent 68 British pounds at a store even though he didn’t have a penny to his name. He went on a 60,000-pound spending spree and was sent to jail for two years.

Broudy used four different eBay accounts and 113 gift cards to make 1,100 transactions exploiting the software glitch, according to court records. None of the eBay accounts was registered to Broudy’s complete name, but they included his last name and home address, and Broudy conducted the scheme using a computer at his Coatesville home, prosecutors said.

“Things would come in the mail frequently, but Chad said not to worry about it and that it was all purchased legally, and that he had money saved up from previous jobs he worked,” wrote Jeffrey Broudy, Chad’s older brother. “Nobody thought anything of it.”

Broudy resold items on eBay, the social media site Reddit, and Swappa, a technology e-commerce company, prosecutors said. But the feds don’t know how many products he resold. Although authorities said he purchased 3,000 items, they said he did not have nearly that many when the FBI searched his home.