Monday, May 22, 2023
Federal officials have charged an 18-year-old Wisconsin resident for a hack that ensnared 60,000 user accounts at sports betting site DraftKings last year.
Joseph Garrison has been charged with conspiring to drain funds from DraftKings user accounts via a "credential stuffing attack." This involves taking usernames and passwords exposed in past data breaches and using computer programs to plug the stolen credentials into other sites in an attempt to break into accounts that used the same username/password combinations.
Federal officials didn’t name the sports betting site. But DraftKings told PCMag it worked with law enforcement to catch the “bad actor(s)” behind the assault. (In December, the company also warned users about the incident.)
Garrison allegedly launched the credential stuffing attack with the help of others on DraftKings in November, successfully comprising about 60,000 accounts. “Garrison then sold access to those victim accounts through various websites that marketed and sold illegal account credentials,” the FBI says in a criminal complaint.
Garrison sold the hijacked DraftKings accounts with instructions on how to drain the funds, which involved adding a new payment method to a hijacked account. “Using this method, the hackers stole approximately $600,000 from approximately 1,600 victim accounts,” the FBI says.
Federal investigators connected Garrison to the crimes by looking at the IP address “that uploaded the instructions to use those stolen credentials to steal money from the victim accounts.” That IP address was tied to a Wisconsin residence belonging to Garrison’s parents. Law enforcement then searched his home, including his home computer and smartphone.
“On the Garrison computer, law enforcement located at least 69 wordlists which contained at least 38,484,088 individual username and password combinations,” the FBI’s complaint says. Investigators also uncovered messages Garrison sent to his associates about pulling off the hacks, and selling access to hijacked DraftKings accounts.
“In one particular conversation, Garrison discussed, in substance and in part, how successful he was at credential stuffing attacks, how much he enjoyed credential stuffing attacks, and how Garrison believed that law enforcement would not catch or prosecute him,” federal officials say.
Garrison also previously ran a site called “Goat Shop," which sold hacked user accounts, making $15,000 per day at its peak. But it looks like he was forced to stop running the shop, since the FBI’s criminal complaints noted that Wisconsin police interviewed Garrison in June 2022, when he would have been a minor.
Despite the police interview, Garrison couldn’t stop himself from engaging in more hacking activities. “Fraud is fun,” he texted to one associate two months before targeting DraftKings. “I’m addicted to see money in my account… idk I’m like obsessed with bypassing shit.”
Copyright © 2023 CST, Inc. All Rights Reserved