The federal government in New York announced Thursday it was opening a six-count criminal complaint charging Joseph Garrison in connection with a plan to hack into user accounts on a fantasy sports and betting website and sell access to them. account to steal hundreds of thousands of dollars.
The government has not named the website, but, according to reports, the website was DraftKings Sportsbook.
“As alleged, Garrison used a credential stuffing attack to hack into the accounts of tens of thousands of victims and steal hundreds of thousands of dollars,” US Attorney Damian Williams said in a statement.
“Garrison Gained Unauthorized Access To Victims’ Accounts Using Sophisticated Hacking Attack To Steal Hundreds Of Thousands Of Dollars,” FBI Acting Assistant Director Michael J. Driscoll said. “Cyber intrusions aimed at stealing funds from private individuals pose a serious risk to our economic security.”
In 2022, Garrison reportedly launched a “credential stuffing attack” against DraftKings. During a credential stuffing attack, a cyberthreat actor harvests stolen credentials, or username and password pairs, obtained from other companies’ other large-scale data breaches, which can be purchased on the dark web.
According to the government, the threat actor then systematically tries to use those stolen credentials to gain unauthorized access to accounts held by the same user with other companies and vendors to compromise the accounts where the user kept the same password. In connection with the attack on DraftKings, there were a number of attempts to access accounts using a large list of stolen credentials.
Garrison and others have successfully logged into approximately 60,000 accounts. In some cases, people who illegally accessed victims’ accounts were able to add a new payment method to the account, deposit $5 into that account via the new payment method to verify that method, and then withdraw all the existing funds in the victim’s account through the new payment method, thus stealing the funds in the victim’s account. Using this method, Garrison and others stole an estimated $600,000 from approximately 1,600 victims.
The 18-year-old from Madison, Wisconsin is charged with conspiracy to commit computer break-ins, which carries a maximum sentence of five years in prison; unauthorized access to a protected computer for further intentional fraud, which carries a maximum penalty of five years’ imprisonment; unauthorized access to a protected computer, which carries a maximum penalty of five years in prison; wire fraud conspiracy, which carries a maximum penalty of 20 years in prison; wire fraud, which carries a maximum penalty of 20 years in prison; and aggravated identity theft, which carries a mandatory minimum sentence of two years’ imprisonment.