ShareA Wisconsin teen has been charged with the mass hacking of sportsbetting site DraftKings, 18-year-old Joseph Garrison alleged to have made $600,000 from selling access to 16,000 accounts.
The FBI have unsealed a six-count criminal complaint charging Garrison “in connection with a scheme to hack user accounts at a fantasy sports and betting website and sell access to those accounts in order to steal hundreds of thousands of dollars from them.”
The credential stuffing attack (in which attackers attempt to reuse credentials that were previously compromised in breaches of other sites) was launched “on or about November 18, 2022” according to authorities.
Garrison, of Madison, Wisconsin, along with others, accessed approximately 60,000 DraftKings accounts. In certain cases, this allowed new payment methods to be added to the account.
A $5 deposit was enough to then allow the hackers to withdraw the entire holdings of that account. In total, Garrison and his crew stole “approximately $600,000 from approximately 1,600 Victim Accounts”, allege the FBI.
A search of Garrison’s home by law enforcement in February 2023 located “programs typically used for credential stuffing attacks” along with “700 ... config files” which allow websites to be targeted. These files were related to “dozens of different corporate websites on Garrison’s computer.”
Files containing “nearly 40 million username and password pairs” were also found on Garrison’s computer, while the main suspect’s cellphone held conversations between Garrison and co-conspirators.
These conversations centred on how to hack DraftKings and how to profit from extracting funds and selling access to the victim’s accounts.
Garrison revealed in one discussion: “Fraud is fun ... I’m addicted to see money in my account ... I’m like obsessed with bypassing shit.”
“As alleged, Garrison used a credential stuffing attack to hack into the accounts of tens of thousands of victims and steal hundreds of thousands of dollars,” said Damian Williams, the United States Attorney for the Southern District of New York.
He added: “Today, thanks to the work of my Office and the FBI, Garrison learned that you shouldn’t bet on getting away with fraud.”
FBI Assistant Director in Charge Michael J. Driscoll said: “As alleged, Garrison attained unauthorized access to victim accounts using a sophisticated cyber-breaching attack to steal hundreds of thousands of dollars."
Driscoll added: “Cyber intrusions aiming to steal private individuals’ funds represent a serious risk to our economic security. Combating cyberattacks and holding the responsible threat actors accountable in the criminal justice system remains a top priority for the FBI.”
According to a press release about the indictment, Garrison is charged with:
- conspiracy to commit computer intrusions, which carries a maximum sentence of five years in prison;
- unauthorized access to a protected computer to further intended fraud, which carries a maximum sentence of five years in prison;
- unauthorized access to a protected computer, which carries a maximum sentence of five years in prison;
- wire fraud conspiracy, which carries a maximum sentence of 20 years in prison;
- wire fraud, which carries a maximum sentence of 20 years in prison, and;
- aggravated identity theft, which carries a mandatory minimum sentence of two years in prison.
