The U.S. Department of Justice has charged Joseph Garrison of Madison, Wisconsin, with six criminal counts for his role in working with cyber thieves to sell access to more than 60,000 DraftKings accounts. He’s believed to be the mastermind behind the credential-stuffing attack against the online sports betting site in November 2022, when more than $600,000 was drained from about 1,600 customer accounts.
According to the court statement, individuals who illegally accessed the stolen accounts successfully added a new payment method and made a small deposit into the accounts using that method to verify it. They then withdrew all existing funds in the account using the new payment method, which belonged to the hacker.
Garrison used a list of credentials stolen in other data breaches to gain access to the DraftKings accounts, which he sold to other cybercriminals who withdrew about $600,000 from the accessed accounts. The defendant is said to have earned over $5,000 from his credential-stuffing scheme on the DraftKings site.
Attack Larger Than First Thought
DraftKings informed customers immediately after the attack that sensitive data like bank account info, identity documents, and Social Security numbers weren’t at risk, and the hack affected less than $300,000 in customer funds. The company then filed a complaint with the Maine Attorney General in December 2022, saying that 68,000 accounts were affected.
All funds were returned to DraftKings customers’ accounts following the data breach after a stressful period for thousands of clients affected by the hacks. FanDuel wasn’t attacked, although criminals did try to compromise customer accounts. It’s unclear if DraftKings has updated its security systems since the attack last year.
DraftKings Employees First Learned of Scheme
Federal authorities were informed of the credential stuffing attack after DraftKings employees successfully purchased stolen data, along with detailed instructions on how to steal funds from the accounts. On January 9, a federal agent bought login credentials for two customer accounts for $11 and was provided screenshots and instructions on accessing the money in the accounts, according to the complaint.
During a February search of Garrison’s home, agents found credential-stuffing software and files with almost 40 million usernames and passwords. They also discovered phone messages where he discussed how to hack the DraftKings site and make a profit with his associates.
Law enforcement found eleven different betting website configurations on Garrison’s computer, the earliest of which was created one day before the DraftKings attack on November 17, 2022. They also found chats between him and his co-conspirators about how to attack the sites, with Garrison stating in one of the chats that “fraud is fun.”
Madison police interviewed Garrison in June 2022, where he allegedly admitted to a hacking scheme he conducted from 2018 to 2021, where he made about $800,000. He reportedly ran a website named Goat Shop, where he sold access to hacked betting accounts. However, according to the complaint, federal agents found a screenshot on his phone showing that he profited about $2 million from that activity.
Garrison surrendered to the FBI in New York last Thursday and has been charged with one count each of conspiracy to commit computer intrusions, unauthorized access to a protected computer to further intended fraud, aggravated identity theft, and two counts of wire fraud. Each count carries a maximum sentence of five years in prison except for aggravated identity theft, which has a maximum 20-year sentence.
Last Updated on by Ryan