Posted on: May 18, 2023, 04:10h.
Last updated on: May 18, 2023, 04:36h.
A Wisconsin teenager is facing federal criminal charges for working with other cyber thieves to sell access to DraftKings betting accounts and allegedly draining $600K from approximately 1,600 of those accounts.
Madison resident Joseph Garrison, 18, is facing six criminal counts. He surrendered himself Thursday to the FBI in New York and was scheduled to appear before US Magistrate Judge James Cott this afternoon. DraftKings wasn’t named in a press statement published by the United States Attorney for the Southern District of New York, but the gaming company confirmed it was the target of a credential-stuffing attack last November.
In credential-stuffing attacks, perpetrators steal account identifiers and/or email and password pairings, and later sell that data on the dark web. It’s estimated Garrison and his cohorts successfully accessed 60K DraftKings client accounts.
In some instances, the individuals who unlawfully accessed the Victim Accounts were able to add a new payment method on the account, deposit $5 into that account through the new payment method to verify that method, and then withdraw all the existing funds in the Victim Account through the new payment method (i.e., to a newly added financial account belonging to the hacker), thus stealing the funds in the Victim Account,” according to the statement.
A February search of Garrison’s home turned up evidence of computer programs used for this form of cybercrime.
Scope of DraftKings Hacker Larger than Feared
In confirming the cyber-breach last November, DraftKings initially said that less than $300K in client funds were affected by the hack.
In a December 2022 filing with the Maine Attorney General’s office, the sportsbook operator said 68K accounts were impacted by the attack. Immediately following the attack, the Boston-based company told customers highly sensitive data, such as bank account, driver’s license, and Social Security numbers weren’t accessed.
DraftKings added the cybercriminals likely accessed clients’ names, addresses, phone numbers, and email addresses along with the last four digits of their payment cards, their account activity, and the date of their last password change.
Garrison is charged with “conspiracy to commit computer intrusions, which carries a maximum sentence of five years in prison; unauthorized access to a protected computer to further intended fraud, which carries a maximum sentence of five years in prison; unauthorized access to a protected computer, which carries a maximum sentence of five years in prison; wire fraud conspiracy, which carries a maximum sentence of 20 years in prison; wire fraud, which carries a maximum sentence of 20 years in prison; and aggravated identity theft, which carries a mandatory minimum sentence of two years in prison,” according to the statement.
For Garrison, Fraud Was ‘Fun’
In the February search of Garrison’s residence, law enforcement officers also seized his cell phone, which contained details of his interactions with his band of cyber actors, as well as indications that he enjoyed perpetrating the fraud and subsequent financial spoils.
“Fraud is fun . . . im addicted to see money in my account . . . im like obsessed with bypassing (expletive),” he wrote in a text.
Assistant U.S. Attorneys Kevin Mead and Micah Fergenson will lead the prosecution, which falls under the US Attorney’s Complex Frauds and Cybercrime Unit.