Sign Up For Card Player's Newsletter And Free Bi-Monthly Online Magazine

Wisconsin Teen Charged With Hacking Fantasy Sports And Betting Website

$600K Stolen From About 1,600 Victims

Print-icon
 

The federal government in New York announced Thursday the unsealing of a six-count criminal complaint charging Joseph Garrison in connection with a scheme to hack user accounts at a fantasy sports and betting website and sell access to those accounts to steal hundreds of thousands of dollars.

The government didn’t name the website, but, according to reports, the website was DraftKings Sportsbook.

“As alleged, Garrison used a credential stuffing attack to hack into the accounts of tens of thousands of victims and steal hundreds of thousands of dollars,” U.S. Attorney Damian Williams said in a statement.

“Garrison attained unauthorized access to victim accounts using a sophisticated cyber-breaching attack to steal hundreds of thousands of dollars,” FBI Assistant Director in Charge Michael J. Driscoll said. “Cyber intrusions aiming to steal private individuals’ funds represent a serious risk to our economic security.”

In 2022, Garrison allegedly launched a “credential stuffing attack” on DraftKings. During a credential stuffing attack, a cyber threat actor collects stolen credentials, or username and password pairs, obtained from other large-scale data breaches of other companies, which can be purchased on the dark web.

According to the government, the threat actor then systematically attempts to use those stolen credentials to obtain unauthorized access to accounts held by the same user with other companies and providers to compromise accounts where the user has maintained the same password. In connection with the attack on DraftKings, there was a series of attempts to log into accounts using a large list of stolen credentials.

Garrison and others successfully accessed approximately 60,000 accounts. In some instances, the individuals who unlawfully accessed the victim accounts were able to add a new payment method on the account, deposit $5 into that account through the new payment method to verify that method, and then withdraw all the existing funds in the victim account through the new payment method, thus stealing the funds in the victim account. Using this method, Garrison and others stole approximately $600,000 from about 1,600 victims.

The 18-year-old from Madison, Wisconsin, is charged with conspiracy to commit computer intrusions, which carries a maximum sentence of five years in prison; unauthorized access to a protected computer to further intended fraud, which carries a maximum sentence of five years in prison; unauthorized access to a protected computer, which carries a maximum sentence of five years in prison; wire fraud conspiracy, which carries a maximum sentence of 20 years in prison; wire fraud, which carries a maximum sentence of 20 years in prison; and aggravated identity theft, which carries a mandatory minimum sentence of two years in prison.