The New York federal government on Thursday announced the disclosure of a six-count criminal complaint accusing Joseph Garrison in connection with a scheme to hack into user accounts at a fantasy sports and betting website and sell access to those accounts to steal hundreds of thousands of dollars.
The government did not name the location, but according to reports, it was the DraftKings Sportsbook website.
“As alleged, Garrison used a credential stuffing attack to hack into the accounts of tens of thousands of victims and steal hundreds of thousands of dollars,” U.S. Attorney Damian Williams said in a statement.
Garrison gained unauthorized access to victims’ accounts using a sophisticated hacking attack to steal hundreds of thousands of dollars. FBI Said Assistant Principal in Charge Michael J. Driscoll. “Cyber hacks aimed at stealing people’s money pose a serious risk to our economic security.”
In 2022, Garrison allegedly launched a “credential stuffing attack” on DraftKings. During a credential stuffing attack, a cyber threat actor collects stolen credentials, or username and password pairs, obtained from other companies’ large-scale data breaches, which can be purchased on the dark web.
According to the government, the threatened actor then systematically attempts to use these stolen credentials to gain unauthorized access to accounts held by the same user with other companies and providers to breach accounts in which the user maintained the same password. In connection with the attack on DraftKings, there were a series of attempts to log into accounts using a large list of stolen credentials.
Garrison and others succeeded in reaching nearly 60,000 accounts. In some cases, individuals who illegally accessed victims’ accounts were able to add a new payment method on the account, deposit $5 into that account through the new payment method to verify that method, and then withdraw all the funds in the victim’s account through the payment method. New payment, thus stealing the money in the victim’s account. Using this method, Garrison and others stole approximately $600,000 from approximately 1,600 victims.
The 18-year-old from Madison, Wisconsin, is charged with conspiracy to commit computer intrusions, which carries a maximum penalty of five years in prison; unauthorized access to a protected computer for further intended fraud, which carries a maximum penalty of five years in prison; unauthorized access to a protected computer, which carries a maximum penalty of five years in prison; wire fraud conspiracy, which carries a maximum penalty of 20 years in prison; wire fraud, which carries a maximum penalty of 20 years in prison; and aggravated identity theft, which carries a minimum penalty of two years in prison.